Re: WinEventLog UF 6.2 renderXml Blacklist

mjaeger · ‎11-27-2014

Hi,
I'm struggeling with setting up a blacklist for an WinEventLog inputs.conf with the renderXml = true.

This is the inputs.conf stanza I'm using:
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true

(refering to: http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/)

Now I want to blacklist every events caused by for example the splunkd.exe.

I've tried something like
blacklist = ParentImage="C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"

but this does not work.

Any help is really apreciated.

Thanks
Martin

dstaulcu · ‎03-22-2015

were you ever able to accomplish blacklisting? I was just trying to accomplish the same thing. Since there is no message field when renderXml=true AND it appears that only specific keys (not including _raw) are supported with whitelisting|blacklisting, I am thinking a feature modification request is in order...

dstaulcu · ‎12-28-2015

I know this is a late response to thread, but finally got this working for myself as well. Here is a sample input:

[WinEventLog://Microsoft-Windows-GroupPolicy/Operational]
renderXml= True
#client-side extension processing started/completed
whitelist1 = EventCode=%^(4016|5016)$%
#gpo download from domain controller
whitelist2 = EventCode=%^(5126)$%
#manual processing of GPO started/completed for user
whitelist3 = EventCode=%^(4004|8004)$%
#manual processing of GPO started/completed for machine
whitelist4 = EventCode=%^(4005|8005)$%

wcolgate_splunk · ‎02-02-2015

Please see the splunk documentation: http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/MonitorWindowsdata -- there is a list of keys under the section, "Create advanced filters with 'whitelist' and 'blacklist'". These keys are the same keys IF you were not rendering the event in XML.

WinEventLog UF 6.2 renderXml Blacklist

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life