Hi,
I'm struggeling with setting up a blacklist for an WinEventLog inputs.conf with the renderXml = true.
This is the inputs.conf stanza I'm using:
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true
(refering to: http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/)
Now I want to blacklist every events caused by for example the splunkd.exe.
I've tried something like
blacklist = ParentImage="C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"
but this does not work.
Any help is really apreciated.
Thanks
Martin
were you ever able to accomplish blacklisting? I was just trying to accomplish the same thing. Since there is no message field when renderXml=true AND it appears that only specific keys (not including _raw) are supported with whitelisting|blacklisting, I am thinking a feature modification request is in order...
I know this is a late response to thread, but finally got this working for myself as well. Here is a sample input:
[WinEventLog://Microsoft-Windows-GroupPolicy/Operational]
renderXml= True
#client-side extension processing started/completed
whitelist1 = EventCode=%^(4016|5016)$%
#gpo download from domain controller
whitelist2 = EventCode=%^(5126)$%
#manual processing of GPO started/completed for user
whitelist3 = EventCode=%^(4004|8004)$%
#manual processing of GPO started/completed for machine
whitelist4 = EventCode=%^(4005|8005)$%
Please see the splunk documentation: http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/MonitorWindowsdata -- there is a list of keys under the section, "Create advanced filters with 'whitelist' and 'blacklist'". These keys are the same keys IF you were not rendering the event in XML.