Getting Data In

Why is one of my blacklists on inputs.conf not working to filter events from Windows Event Logs?

fatemabwudel
Path Finder

Hi,

So I am using Windows Universal forwarder (6.4.1) to forward data to indexers (6.5)
I have a filter setup in inputs.conf on UFs:

[WinEventLog://Security]
disabled = 0
index = test
sourcetype = windows
blacklist1 = EventCode="4662" Message=”Object Type:\s+(?!groupPolicyContainer)”
blacklist2 = EventCode="566" Message=”Object Type:\s+(?!groupPolicyContainer)”
blacklist3 = 560,567,7035,7036,592,593,595,4656,4663
blacklist4 = Message="Account Name:[\s]*(.*\$)"
blacklist5 = Message="Account Name:[\s]*HealthMailbox.*"

The problem is that I can see blacklists1-4 working, i.e not getting any events corresponding to those codes/regexes,
but blacklist5 doesn't work, i.e still seeing the events with Account Names containing "HealthMailbox" in it. I have spent enough
of my time beating my head around trying to think what could be the cause of this behavior but couldn't find a solution.

Is there something I am missing?

Thanks for the help.

Fatema.

0 Karma
1 Solution

gokadroid
Motivator

Hi @fatemabwudel

If you could post the type of events you are trying to filter that might help, but I think problem is in your current regex:

Your regex:

Message="Account Name:[\s]*HealthMailbox.*"

What it will filter is all the account names that start with HealthMailbox and are preceeded by n number of spaces:

Message="Account Name:<singlespace>HealthMailbox<Everything hereafter>"
Message="Account Name:<singlespace><singlespace>HealthMailbox<Everything hereafter>"
Message="Account Name:<singlespace><singlespace><singlespace>...and so on...HealthMailbox<Everything hereafter>"

What you probably wanted to filter was "Account Names containing "HealthMailbox":

Message="Account Name:<singlespace><someNonSpacestringhere>HealthMailbox<Everything hereafter>"

Try this if there is no space between < someNonSpaceString> and HealthMailbox:

Message=\"Account Name:[\s]+?[\S]+HealthMailbox.*\"

Example: Message="Account Name: thisIsSomeAccountHealthMailbox and here is all data afterwards"

If there are spaces between < someNonSpaceString> and HealthMailbox try:

Message=\"Account Name:[\s]+?[\S]+?\s+?HealthMailbox.*\"

Example: Message="Account Name: thisIsSomeAccount HealthMailbox and here is all data afterwards"

Else please respond with events and we will provide exact regex. Test them here https://regex101.com/

View solution in original post

gokadroid
Motivator

Hi @fatemabwudel

If you could post the type of events you are trying to filter that might help, but I think problem is in your current regex:

Your regex:

Message="Account Name:[\s]*HealthMailbox.*"

What it will filter is all the account names that start with HealthMailbox and are preceeded by n number of spaces:

Message="Account Name:<singlespace>HealthMailbox<Everything hereafter>"
Message="Account Name:<singlespace><singlespace>HealthMailbox<Everything hereafter>"
Message="Account Name:<singlespace><singlespace><singlespace>...and so on...HealthMailbox<Everything hereafter>"

What you probably wanted to filter was "Account Names containing "HealthMailbox":

Message="Account Name:<singlespace><someNonSpacestringhere>HealthMailbox<Everything hereafter>"

Try this if there is no space between < someNonSpaceString> and HealthMailbox:

Message=\"Account Name:[\s]+?[\S]+HealthMailbox.*\"

Example: Message="Account Name: thisIsSomeAccountHealthMailbox and here is all data afterwards"

If there are spaces between < someNonSpaceString> and HealthMailbox try:

Message=\"Account Name:[\s]+?[\S]+?\s+?HealthMailbox.*\"

Example: Message="Account Name: thisIsSomeAccount HealthMailbox and here is all data afterwards"

Else please respond with events and we will provide exact regex. Test them here https://regex101.com/

fatemabwudel
Path Finder

I think the regex was the problem.
Changed the regex to this: blacklist5 = Message="Account Name:[\s](.*HealthMailbox.)"

The events looked like this:

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=comp1
TaskCategory=Logoff
OpCode=Info
RecordNumber=45263512
Keywords=Audit Success
Message=An account was logged off.

Subject:
Security ID: WIN\HealthMailbox453678
Account Name: HealthMailbox453678
Account Domain: WIN
Logon ID: 0x23S797B

Logon Type: 3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

Thank you for the response and help!

Fatema.

0 Karma

gokadroid
Motivator

you are welcome @fatemabwudel

0 Karma

lukejadamec
Super Champion

Does Account Name appear twice in the Message of the events you're trying to block?
Since both of these are Message text regexes, have you tried removing #4 to test #5?

0 Karma

fatemabwudel
Path Finder

Yeah, it didn't work (removing #4 to test #5). Hence changed the regex and it fixed it.
Thanks for the help!

0 Karma

lukejadamec
Super Champion

Rockondog.

0 Karma

lukejadamec
Super Champion

You did try putting HealthMailbox. in parens right? (HealthMailbox.)

0 Karma

fatemabwudel
Path Finder

Yeah before it was in parens but thought that maybe that might be causing it not to parse, hence tried without parens and still didn't work 😞
( the astricks in the question got changed, here is the regex:
blacklist5 = Message="Account Name:[\s]HealthMailbox."

0 Karma

fatemabwudel
Path Finder

arrr still the astricks got replaced while posting, let me try this:
blacklist5 = Message="Account Name:\sHealthMailbox.(astrick)"

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Just a friendly reminder: if you want to keep your code formatting, be sure to wrap your code in a code sample so that any special characters (like an asterisk) are rendered properly. Use the code sample icon in the toolbar to do this (it's to the right of the blockquote/quotations icon). Thanks.

0 Karma

fatemabwudel
Path Finder

Thanks for formatting it. Appreciate it.
will remember from next time.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...