Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

WinEventLog UF 6.2 renderXml Blacklist

mjaeger
New Member
‎11-27-2014 06:40 AM

Hi,
I'm struggeling with setting up a blacklist for an WinEventLog inputs.conf with the renderXml = true.

This is the inputs.conf stanza I'm using:
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true

(refering to: http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/)

Now I want to blacklist every events caused by for example the splunkd.exe.

I've tried something like
blacklist = ParentImage="C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"

but this does not work.

Any help is really apreciated.

Thanks
Martin

Tags (2)
0 Karma
Reply

dstaulcu
Builder
‎03-22-2015 10:45 AM

were you ever able to accomplish blacklisting? I was just trying to accomplish the same thing. Since there is no message field when renderXml=true AND it appears that only specific keys (not including _raw) are supported with whitelisting|blacklisting, I am thinking a feature modification request is in order...

0 Karma
Reply

dstaulcu
Builder
‎12-28-2015 09:30 PM

I know this is a late response to thread, but finally got this working for myself as well. Here is a sample input:

[WinEventLog://Microsoft-Windows-GroupPolicy/Operational]
renderXml= True
#client-side extension processing started/completed
whitelist1 = EventCode=%^(4016|5016)$%
#gpo download from domain controller
whitelist2 = EventCode=%^(5126)$%
#manual processing of GPO started/completed for user
whitelist3 = EventCode=%^(4004|8004)$%
#manual processing of GPO started/completed for machine
whitelist4 = EventCode=%^(4005|8005)$%
0 Karma
Reply

wcolgate_splunk
Splunk Employee
Splunk Employee
‎02-02-2015 07:50 PM

Please see the splunk documentation: http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/MonitorWindowsdata -- there is a list of keys under the section, "Create advanced filters with 'whitelist' and 'blacklist'". These keys are the same keys IF you were not rendering the event in XML.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...