Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why can't I blacklist Windows Security EventCode 5152 in inputs.conf?

bwaldren
Explorer
‎11-29-2018 12:07 PM

Hello,

I am trying to blacklist EventCode 5152 in inputs.conf. I have tried putting it in a different order in the list below (blacklist, blacklist3, blacklist5), and that didn't work. I have tried with the current message setting as well as typing out the message and that did not help. The other events listed are currently being blocked correctly. My current version of Splunk is 7.0.0. Any help would be appreciated.

From the inputs.conf file:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = wineventlog
blacklist = EventCode="5152" Message="*"
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4932" Message="*"
blacklist4 = EventCode="4933" Message="*"

From Splunk search

11/29/2018 01:44:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5152
EventType=0
Type=Information
ComputerName=XXX.northgrum.com
TaskCategory=Filtering Platform Packet Drop
OpCode=Info
RecordNumber=36423970
Keywords=Audit Failure
Message=The Windows Filtering Platform has blocked a packet.

Application Information:

Process ID:     0
    Application Name:   -

Network Information:

Direction:      Inbound
    Source Address:     XXX
    Source Port:        8080
    Destination Address:    XXX
    Destination Port:       64430
    Protocol:       6

Filter Information:

Filter Run-Time ID: 70679
    Layer Name:     Transport
    Layer Run-Time ID:  13

EventCode = 5152 

host =  XXX 
    source =    WinEventLog:Security        
    sourcetype =    WinEventLog:Security
Reply

vinod94
Contributor
‎12-07-2018 12:04 AM

You can try for one Event Code,

[WinEventLog://Security]
 disabled = 0
 start_from = oldest
 current_only = 0
 evt_resolve_ad_obj = 1
 checkpointInterval = 5
 index = wineventlog
 blacklist1 = 5152

If you have multiple evencodes, you can put blacklist1 = 5152,4662
Let me know if this works.

Reply

petom
Path Finder
‎12-06-2018 11:15 PM

As per inputs.conf try this:

  blacklist1 = EventCode="5152"
  blacklist2 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
  blacklist3 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
  blacklist4 = EventCode="4932"
  blacklist5 = EventCode="4933"

or simply just:

  blacklist1 = 5152,4932,4933
  blacklist2 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
  blacklist3 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
0 Karma
Reply

bwaldren
Explorer
‎12-10-2018 10:09 AM

I tried as you suggested and it did not work. I then tried with spaces between the commas and with quotes around each number and it did not work. I restarted Splunkd service each time.

0 Karma
Reply

woodcock
Esteemed Legend
‎11-30-2018 03:44 PM

Did you deploy this to all of your forwarders and restart the Splunk instances there?

0 Karma
Reply

dkeck
Influencer
‎11-29-2018 10:45 PM

Hi,

I know you ask for blacklist and I see why, but if this is not working for you, did you try sending to nullqueque on the Indexer?

props.conf

[WinEventLog:Security]

{{TRANSFORMS-<name>=<name_in_transforms>

}}

transforms.conf

[<name_in_transforms>]

{{REGEX="EventCode=(4662|4634|4672)"
}}

DEST_KEY=queue

FORMAT=nullQueue

If you want to filter for more than the EventCode number, you can just add to the Regex, but you will need a (?s) infront, because of the new line characters in wineventlog events ( REGEX="(?s)EventCode=(4662|4634|4672).*Message=[....] )

0 Karma
Reply

bwaldren
Explorer
‎11-30-2018 12:11 PM

Which props.conf file do I modify? There are several on the host machine.

0 Karma
Reply

dkeck
Influencer
‎12-04-2018 04:12 AM

You can set up a knew app for this to include your /local/props.conf and /local/transforms. Then deploy it to your Indexer

Or there is already an app working with WinEventLog:Security, so you could add it there.

Please note that you have to eddit two conf files transforms.conf and props.conf

0 Karma
Reply

bwaldren
Explorer
‎12-04-2018 01:26 PM

What is the location of the props.conf and transform.conf files I am to modify? c:\program file\splunk...
My host server is generating 100k of these events every day so I would like to start on this server.

0 Karma
Reply

dkeck
Influencer
‎12-06-2018 12:52 AM

you have to create these files yourself on the indexer ( or on the master and apply a new bundle if you have a cluster)

set up a new app, with a local directory.

Create props.conf and transforms.conf.

Add and eddit the content I postet above and save the files.

Restart splunkd

0 Karma
Reply

bwaldren
Explorer
‎12-06-2018 01:07 PM

I created these two files like you requested. I added a |5152 in the transforms.conf file. I placed them in the Splunk\etc folder.

What you mean by setting up a new app with a local directory?

I restarted splunkd and it still was not working.

0 Karma
Reply

dkeck
Influencer
‎12-06-2018 11:01 PM

You propably want to gain some knowledge about apps first before continuing.

Please tell me how your enviroment looks like, do you have a standalone Splunk instance or several with different roles? ( Search Head, Indexer etc.)

In general you will create an app in $SPLUNK_HOME/etc/apps/. Create an new folder in apps with the name of your app. Lets call it "my_first_app".

So we have $SPLUNK_HOME/etc/apps/my_first_app. Next you need to create an "local" directory in my_first_app. So $SPLUNK_HOME/etc/apps/my_first_app/local. Within local you place your transforms and props.conf.

Please post how your conf files look like now. maybe theres an error in there as well.

0 Karma
Reply

bwaldren
Explorer
‎12-10-2018 11:47 AM

Before I respond to you questions, I think I have uncovered something.

The blacklisting 'seems' to be working, but not on the events occurring on the host server. Initially, I was just looking at events, but then I realized the events were only coming from one server and that was the host.

Is there something Splunk related I need to do from the host server to keep from this event getting into the index?

0 Karma
Reply

bwaldren
Explorer
‎12-10-2018 11:49 AM

Also, as a test, I removed the blacklisting event and I got this event from multiple servers.

0 Karma
Reply

prakash007
Builder
‎11-29-2018 07:19 PM

How about a tweak in the order of blacklist...

 blacklist1 = EventCode="5152" Message="*"
 blacklist2 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
 blacklist3 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
 blacklist4 = EventCode="4932" Message="*"
 blacklist5 = EventCode="4933" Message="*"
0 Karma
Reply

bwaldren
Explorer
‎12-04-2018 01:15 PM

Moving it to the top was unsuccessful. I tried restarting the service and still did not work.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...