Getting Data In

WinEventLog UF 6.2 renderXml Blacklist

New Member

Hi,
I'm struggeling with setting up a blacklist for an WinEventLog inputs.conf with the renderXml = true.

This is the inputs.conf stanza I'm using:
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true

(refering to: http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/)

Now I want to blacklist every events caused by for example the splunkd.exe.

I've tried something like
blacklist = ParentImage="C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"

but this does not work.

Any help is really apreciated.

Thanks
Martin

Tags (2)
0 Karma

Builder

were you ever able to accomplish blacklisting? I was just trying to accomplish the same thing. Since there is no message field when renderXml=true AND it appears that only specific keys (not including _raw) are supported with whitelisting|blacklisting, I am thinking a feature modification request is in order...

0 Karma

Builder

I know this is a late response to thread, but finally got this working for myself as well. Here is a sample input:

[WinEventLog://Microsoft-Windows-GroupPolicy/Operational]
renderXml= True
#client-side extension processing started/completed
whitelist1 = EventCode=%^(4016|5016)$%
#gpo download from domain controller
whitelist2 = EventCode=%^(5126)$%
#manual processing of GPO started/completed for user
whitelist3 = EventCode=%^(4004|8004)$%
#manual processing of GPO started/completed for machine
whitelist4 = EventCode=%^(4005|8005)$%
0 Karma

Splunk Employee
Splunk Employee

Please see the splunk documentation: http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/MonitorWindowsdata -- there is a list of keys under the section, "Create advanced filters with 'whitelist' and 'blacklist'". These keys are the same keys IF you were not rendering the event in XML.