Getting Data In

Why is Windows event monitoring blacklist ignored?

cmlombardo
Path Finder

Hello there. I have this stanza configured for event logs on the Domain Controllers:

[WinEventLog://Security]
disabled = 0
index=winos_i
blacklist1 = EventCode="4662" Message="Object Name:\s+CN=(?!mycn-1|mycn-2)"
blacklist2 = 538,565,566,576,835,836,837,4931,4932,4933

 

Basically, I want only the 4662 events related to the CNs above.

Well... I push the configuration to the DCs... and suddenly i get ALL 4662 events.

What is wrong with that configuration? Can't figure this out.

Thank you...

Tags (1)
0 Karma

cmlombardo
Path Finder

The REGEX matches for a message that does not contain either of those 2 CN. So all the matched events should be blacklisted. But they're not.

 

Negative lookahead is the only simple option to filter .those messages. Otherwise you'll need to use a very "unreadable" regex to have the same result.

Also, the negative lookahead to filter 4662 events is what is suggested here:

https://www.splunk.com/en_us/blog/tips-and-tricks/controlling-4662-messages-in-the-windows-security-...

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You'll get all 4662 events if the regex doesn't match anything.  Have you tested that regular expression on regex101.com?  IME, negative lookaheads don't work well in Splunk so see if there's another way to get the same results.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

cmlombardo
Path Finder

Please see my post above.

The regex matches exactly what I need to exclude (all the events but those related to the OUs in the regex).

The negative lookahead is what is recommended in the blog.


Thank you.

0 Karma