Getting Data In

Why is blacklist with filter on windows event logs not working?

catchvjay
New Member

Hi,

I have a requirement to blacklist all  computer accounts (ending with $) in Security Event Code 4769. So far I have created following filter in inputs.conf but it is not working.

 

 

[WinEventLog://Security]
disabled = 0
renderXml = 1
source = XmlWinEventLog:Security
blacklist1 = EventCode="4769" Message="(?:<Data Name='ServiceName'>).+\$"

 

 

 I checked regex and it is working on regex builder App but filtering is not working. I am still receiving events with computer accounts.

I referred and tried out various splunk forum questions on the same but no luck. Any help will be appreciated.

Thanks for your time.

Labels (1)
0 Karma

kknair007
Observer

@catchvjay You may try this  :
blacklist1 = EventCode="4769"  Message="Account Name:(\W+\w+$)"

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...