Getting Data In

Why is my blacklist configuration under WinEventLog not working?

grantsmiley
Path Finder

I have the following stanza in the universal forwarder Splunk 6.3:

[WinEventLog://Security]
disabled = 0
blacklist1=EventCode="4656"
blacklist2=EventCode="5156"
blacklist3=EventCode="4658"
blacklist4=EventCode="5145"
blacklist5=EventCode="5158"
Blacklist6=EventCode="4663" Message="ZettaMirror_Sync"

The EventCode only blacklists function as expected, however, adding the Message filter does not. What you see here is the latest of many attempts at regEx's paired down to nothing, tried .*ZettaMirror.*, tried using Process_Name=".*Zetta.*" instead of Message, etc. The actual log event I want to get rid of is this one:

11/25/2015 04:20:34 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4663
EventType=0
Type=Information
ComputerName=hostname.domain.int
TaskCategory=File System
OpCode=Info
RecordNumber=517360030
Keywords=Audit Success
Message=An attempt was made to access an object.

Subject:
    Security ID:        NT AUTHORITY\SYSTEM
    Account Name:       HOSTNAMEREDACTED$
    Account Domain:     REDACTEDDOMAIN
    Logon ID:       0x3e7
Object:
    Object Server:  Security
    Object Type:    File
    Object Name:    \Device\HarddiskVolumeShadowCopy59\redactedDirectory\somepath.pdf
    Handle ID:  0x4a8

Process Information:
    Process ID: 0xcec
    Process Name:   C:\Program Files\Zetta\ZettaMirror\ZettaMirror_Sync.exe

Access Request Information:
    Accesses:   ReadData (or ListDirectory)
    Access Mask:    0x1
0 Karma

grantsmiley
Path Finder

When I take the event code off and just filter on that exe, I can name the full path it filters it. Strange...

0 Karma

alemarzu
Motivator

Try this,

[WinEventLog://Security]
disabled = 0
blacklist1 = 4656,5156,4658,5145,5158
blacklist2 = EventCode=%^4663$% Message=%ZettaMirror_Sync%
0 Karma

jplumsdaine22
Influencer

I don't think the Universal Forwarder can filter data.

See http://docs.splunk.com/Documentation/Splunk/6.3.2/Forwarding/Routeandfilterdatad

0 Karma

alemarzu
Motivator

It is possible since version 6+

0 Karma

grantsmiley
Path Finder
0 Karma

grantsmiley
Path Finder

Apparently the editor likes to strip certain characters off my regEx's....

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.