Solved: Windows Blacklist Pattern Match Issue

bwheelock · ‎08-20-2019

I can't think of a better way to phrase my question without it being a sentence. The issue I'm having is my blacklist is checking for an Event Code (4624) and then a Message that contains Exchange Health Mailbox accounts, but ends up removing ALL 4624 events. I only want to discard the events that have the health mailboxes, but as soon as I make the conf change and the change applies... 4624's stop coming in.

EDIT: OK, I found the issue. Full disclosure: some major egg on my face here. In my inputs.conf I have three active blacklists, and each is different in event code and scope. It turns out I coincidentally had a three distinct cases of bad Splunk-specific regex formatting that caused the "Message=" section to break. For my example below, I wanted a case insensitive match and wrapped the regex in (?i) rather than placing (?i) by itself before the section I wanted to match with case insensitivity. Bottom line is my bad regex in the Message key caused that portion of the line to be discarded, leaving only the EventCode key for evaluation. This is odd behavior to me, as I would expect the entire line to be discarded and not simply the bad key, as the end result was I ended up blacklisting all of that event code rather than failing to blacklist anything.

I think the issue I'm having might still qualify as a bug, maybe, but at least I now know I was mostly shooting myself in the foot!

Here's an example:

blacklist1 = EventCode="4624" Message="Account Name:\s+(?i(HealthMailbox\S+)|(\S+\$))"

Edit: here's what I did to fix the above.

blacklist1 = EventCode="4624" Message="Account Name:\s+(?:(?i)(HealthMailbox\S+)|(\S+\$))"

bwheelock · ‎08-21-2019

I think the issue I'm having might still qualify as a bug, maybe, but at least I now know I was mostly shooting myself in the foot!

OK, I found the issue. Full disclosure: some major egg on my face here. In my inputs.conf I have three active blacklists, and each is different in event code and scope. It turns out I coincidentally had a three distinct cases of bad Splunk-specific regex formatting that caused the "Message=" section to break. For my example below, I wanted a case insensitive match and wrapped the regex in (?i) rather than placing (?i) by itself before the section I wanted to match with case insensitivity. Bottom line is my bad regex in the Message key caused that portion of the line to be discarded, leaving only the EventCode key for evaluation. This is odd behavior to me, as I would expect the entire line to be discarded and not simply the bad key, as the end result was I ended up blacklisting all of that event code rather than failing to blacklist anything.

Here's an example that breaks the Message key causing the blacklist to exclude ALL EventCode key matches:

blacklist1 = EventCode="4624" Message="Account Name:\s+(?i(HealthMailbox\S+)|(\S+\$))"

Here's what I did to fix the above bad regex.

blacklist1 = EventCode="4624" Message="Account Name:\s+(?:(?i)(HealthMailbox\S+)|(\S+\$))"

View solution in original post

bwheelock · ‎08-21-2019

I think the issue I'm having might still qualify as a bug, maybe, but at least I now know I was mostly shooting myself in the foot!

OK, I found the issue. Full disclosure: some major egg on my face here. In my inputs.conf I have three active blacklists, and each is different in event code and scope. It turns out I coincidentally had a three distinct cases of bad Splunk-specific regex formatting that caused the "Message=" section to break. For my example below, I wanted a case insensitive match and wrapped the regex in (?i) rather than placing (?i) by itself before the section I wanted to match with case insensitivity. Bottom line is my bad regex in the Message key caused that portion of the line to be discarded, leaving only the EventCode key for evaluation. This is odd behavior to me, as I would expect the entire line to be discarded and not simply the bad key, as the end result was I ended up blacklisting all of that event code rather than failing to blacklist anything.

Here's an example that breaks the Message key causing the blacklist to exclude ALL EventCode key matches:

blacklist1 = EventCode="4624" Message="Account Name:\s+(?i(HealthMailbox\S+)|(\S+\$))"

Here's what I did to fix the above bad regex.

blacklist1 = EventCode="4624" Message="Account Name:\s+(?:(?i)(HealthMailbox\S+)|(\S+\$))"

nareshinsvu · ‎08-20-2019

Hope you have tried props and transforms.conf instead of blacklisting in inputs.conf?

bwheelock · ‎08-21-2019

Thanks for the input! For the moment I have avoided switching to that direction, but if it helps troubleshoot why the inputs functionality is not working as expected I can work on that. I presume the main value would be to confirm the regex is working? (Though I've validated the regex against event codes within Splunk already, using the rex command)

Windows Blacklist Pattern Match Issue

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

Windows Blacklist Pattern Match Issue

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future