Getting Data In

WinEventLog whitelisting by SourceName not working

jrlane
Engager

I'm trying to whitelist a few event logs by eventcode as well as whitelist all events with the SourceName "AD FS Auditing". My config is as follows.

[WinEventLog://Security]
whitelist= 4624, 4625
whitelist1= SourceName="AD FS Auditing"
index=windows_evt

With this config any events i put in the first whitelist line work perfectly, but the second line is not functional. As a test if I add an event code that will have a SourceName of "AD FS Auditing" (say EventCode=500) they come in just fine. I have tried various combinations of things for source name such as "^AD FS Auditing$" and ".*AD FS Auditing.*" with no success.

Labels (2)
0 Karma
1 Solution

spayneort
Contributor

You are using both whitelist formats in the same stanza. That does not work, according to http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata.

You can specify one of two formats:

One or more Event Log event codes or event IDs (Event Code/ID format.)

One or more sets of keys and regular expressions (Advanced filtering format.)
You cannot mix formats in a single entry. You also cannot mix formats in the same stanza.

Try this instead:

 [WinEventLog://Security]
 whitelist= EventCode="4624|4625"
 whitelist1= SourceName="AD FS Auditing"
 index=windows_evt

View solution in original post

sonny_monti
Path Finder

Whitelisting for Wineventlog is a little bit tricky.

First of all you can whitelist only with these fields:
Category, CategoryString, ComputerName, EventCode, EventType, Keywords,
LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName,
TaskCategory, Type, User

Then the logic behind differen whitelist rules is like this:

whitelist OR whitelist1 OR whitelist2 OR .... OR whitelistN

where each whitelist rule logic is like this

rule1 AND rule2 AND ... AND ruleN

Here a concrete example:

whitelist = EventCode="4624|4625"
whitelist1 = SourceName="AD FS Auditing"
whitelist2 = Keywords="Audit Success" User="Bob Marley"

This translates to:

EventCode="4624|4625" OR SourceName="AD FS Auditing" OR (Keywords="Audit Success" AND User="Bob Marley")

0 Karma

spayneort
Contributor

You are using both whitelist formats in the same stanza. That does not work, according to http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata.

You can specify one of two formats:

One or more Event Log event codes or event IDs (Event Code/ID format.)

One or more sets of keys and regular expressions (Advanced filtering format.)
You cannot mix formats in a single entry. You also cannot mix formats in the same stanza.

Try this instead:

 [WinEventLog://Security]
 whitelist= EventCode="4624|4625"
 whitelist1= SourceName="AD FS Auditing"
 index=windows_evt

gcusello
SplunkTrust
SplunkTrust

Hi jrlane,
probably there's an error in your regex: e.g. before brachets and equal you have to insert a backslash ().

Try your regex in https://regex101.com/ or in Splunk before insert it in whitelist.

Bye.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi jrlane,
probably there's an error in your regex: e.g. before brachets and equal you have to insert a backslash ().

Try your regex in https://regex101.com/ or in Splunk before insert it in whitelist.

Bye.
Giuseppe

0 Karma

jrlane
Engager

I don't see how regex could be the problem. Running this query "index="myindex" SourceName="AD FS Auditing" EventCode=500 I get the the results I need, there should be no regex required on SourceName, it's an exact string.

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi jrlane,
from http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

whitelist = **<regular expression>**
* If set, files from this input are monitored only if their path matches the specified regex.
* Takes precedence over the deprecated _whitelist setting, which functions the same way.

in white list you have to insert a regex not a string or a field as the one you used in your example index="myindex" SourceName="AD FS Auditing" EventCode=500
So if you use a rex command in your search instead of string you can see that your regex is wrong (backslashes before brachets and equal).
try using whitelist1= SourceName\=\"AD FS Auditing\" in your inputs.conf.

You can verify this regex in this way:
using the regex of your whitelist, you don't have events

index="myindex" EventCode=500
| rex "SourceName="AD FS Auditing""

instead if you use the correct regex, you'll find events

index="myindex" EventCode=500
| rex "SourceName\=\"AD FS Auditing\""

Try it.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...