Getting Data In

Why is blacklisting Windows event logs on a deployment server not working?

nick405060
Motivator

I tried following the documentation for blacklisting Windows event logs in Splunk 6.3.1 without success. I tried editing Splunk/etc/system/local/inputs.conf as well as Splunk/etc/apps/Splunk_TA_windows/local

Tags (1)
1 Solution

nick405060
Motivator

I posted this question just so that I could answer it for the Splunk community in case it helps anyone else out. If someone could convert this to an answer that would be great. Copied and pasted from an email to a coworker:

Here’s some notes regarding blacklisting in Splunk (note that this differs sharply from the official/flawed 6.3.1 documentation).

-Blacklisting forwarded Windows event logs on the deployment server needs to be done in Splunk/etc/deployment-apps/Splunk_TA_windows/local/inputs.conf, followed by either a Splunk reboot or “splunk reload deploy-server” (note that I cannot get the command to work in PowerShell)
-Your first blacklist (blacklist, not blacklist1) is the only line that can take a list of event IDs.
-----blacklist = 0-4623,4625-100000
-Numbered blacklists, up to and including blacklist9, take regular expressions, but they need to be surrounded by % instead of quotation marks. Also note that wildcards are not accepted as they are in a Splunk search or Splunk XML (e.g. blacklist1 = Message=%*thingtofind*%), they need to be a strict regex (e.g. .* or [\s\S]*)
-----blacklist1 = Message=%[\s\S]*Account Name:\s*(ABCEX|Mimecast_MSESvc|APMMONITOR|ABCDC|DEF)[\s\S]*%
-You can only blacklist on: Category CategoryString ComputerName EventCode EventType Keywords LogName Message OpCode RecordNumber Sid SidType SourceName TaskCategory Type User

Cheers,

View solution in original post

MuS
Legend

If you want to deploy the modified inputs.conf to deployment clients, you must put the changed app into $SPLUNK_HOME/etc/deployment-apps/YourAppNameHere/local and configure a server class to deploy it.

cheers, MuS

nick405060
Motivator

I posted this question just so that I could answer it for the Splunk community in case it helps anyone else out. If someone could convert this to an answer that would be great. Copied and pasted from an email to a coworker:

Here’s some notes regarding blacklisting in Splunk (note that this differs sharply from the official/flawed 6.3.1 documentation).

-Blacklisting forwarded Windows event logs on the deployment server needs to be done in Splunk/etc/deployment-apps/Splunk_TA_windows/local/inputs.conf, followed by either a Splunk reboot or “splunk reload deploy-server” (note that I cannot get the command to work in PowerShell)
-Your first blacklist (blacklist, not blacklist1) is the only line that can take a list of event IDs.
-----blacklist = 0-4623,4625-100000
-Numbered blacklists, up to and including blacklist9, take regular expressions, but they need to be surrounded by % instead of quotation marks. Also note that wildcards are not accepted as they are in a Splunk search or Splunk XML (e.g. blacklist1 = Message=%*thingtofind*%), they need to be a strict regex (e.g. .* or [\s\S]*)
-----blacklist1 = Message=%[\s\S]*Account Name:\s*(ABCEX|Mimecast_MSESvc|APMMONITOR|ABCDC|DEF)[\s\S]*%
-You can only blacklist on: Category CategoryString ComputerName EventCode EventType Keywords LogName Message OpCode RecordNumber Sid SidType SourceName TaskCategory Type User

Cheers,

cstump_splunk
Splunk Employee
Splunk Employee

one the PowerShell comment, you make sure you cd to the Splunk bin directory and that you dot source the Splunk binary:

./splunk reload deploy-server

Also, run PS with elevated permissions

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...