Getting Data In

WinEventLog whitelisting by SourceName not working

Engager

I'm trying to whitelist a few event logs by eventcode as well as whitelist all events with the SourceName "AD FS Auditing". My config is as follows.

[WinEventLog://Security]
whitelist= 4624, 4625
whitelist1= SourceName="AD FS Auditing"
index=windows_evt

With this config any events i put in the first whitelist line work perfectly, but the second line is not functional. As a test if I add an event code that will have a SourceName of "AD FS Auditing" (say EventCode=500) they come in just fine. I have tried various combinations of things for source name such as "^AD FS Auditing$" and ".*AD FS Auditing.*" with no success.

Labels (2)
0 Karma
1 Solution

Contributor

You are using both whitelist formats in the same stanza. That does not work, according to http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata.

You can specify one of two formats:

One or more Event Log event codes or event IDs (Event Code/ID format.)

One or more sets of keys and regular expressions (Advanced filtering format.)
You cannot mix formats in a single entry. You also cannot mix formats in the same stanza.

Try this instead:

 [WinEventLog://Security]
 whitelist= EventCode="4624|4625"
 whitelist1= SourceName="AD FS Auditing"
 index=windows_evt

View solution in original post

Path Finder

Whitelisting for Wineventlog is a little bit tricky.

First of all you can whitelist only with these fields:
Category, CategoryString, ComputerName, EventCode, EventType, Keywords,
LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName,
TaskCategory, Type, User

Then the logic behind differen whitelist rules is like this:

whitelist OR whitelist1 OR whitelist2 OR .... OR whitelistN

where each whitelist rule logic is like this

rule1 AND rule2 AND ... AND ruleN

Here a concrete example:

whitelist = EventCode="4624|4625"
whitelist1 = SourceName="AD FS Auditing"
whitelist2 = Keywords="Audit Success" User="Bob Marley"

This translates to:

EventCode="4624|4625" OR SourceName="AD FS Auditing" OR (Keywords="Audit Success" AND User="Bob Marley")

0 Karma

Contributor

You are using both whitelist formats in the same stanza. That does not work, according to http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata.

You can specify one of two formats:

One or more Event Log event codes or event IDs (Event Code/ID format.)

One or more sets of keys and regular expressions (Advanced filtering format.)
You cannot mix formats in a single entry. You also cannot mix formats in the same stanza.

Try this instead:

 [WinEventLog://Security]
 whitelist= EventCode="4624|4625"
 whitelist1= SourceName="AD FS Auditing"
 index=windows_evt

View solution in original post

SplunkTrust
SplunkTrust

Hi jrlane,
probably there's an error in your regex: e.g. before brachets and equal you have to insert a backslash ().

Try your regex in https://regex101.com/ or in Splunk before insert it in whitelist.

Bye.
Giuseppe

0 Karma

SplunkTrust
SplunkTrust

Hi jrlane,
probably there's an error in your regex: e.g. before brachets and equal you have to insert a backslash ().

Try your regex in https://regex101.com/ or in Splunk before insert it in whitelist.

Bye.
Giuseppe

0 Karma

Engager

I don't see how regex could be the problem. Running this query "index="myindex" SourceName="AD FS Auditing" EventCode=500 I get the the results I need, there should be no regex required on SourceName, it's an exact string.

0 Karma

SplunkTrust
SplunkTrust

hi jrlane,
from http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

whitelist = **<regular expression>**
* If set, files from this input are monitored only if their path matches the specified regex.
* Takes precedence over the deprecated _whitelist setting, which functions the same way.

in white list you have to insert a regex not a string or a field as the one you used in your example index="myindex" SourceName="AD FS Auditing" EventCode=500
So if you use a rex command in your search instead of string you can see that your regex is wrong (backslashes before brachets and equal).
try using whitelist1= SourceName\=\"AD FS Auditing\" in your inputs.conf.

You can verify this regex in this way:
using the regex of your whitelist, you don't have events

index="myindex" EventCode=500
| rex "SourceName="AD FS Auditing""

instead if you use the correct regex, you'll find events

index="myindex" EventCode=500
| rex "SourceName\=\"AD FS Auditing\""

Try it.

Bye.
Giuseppe

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!