Getting Data In

Windows Blacklist Pattern Match Issue

bwheelock
Path Finder

I can't think of a better way to phrase my question without it being a sentence. The issue I'm having is my blacklist is checking for an Event Code (4624) and then a Message that contains Exchange Health Mailbox accounts, but ends up removing ALL 4624 events. I only want to discard the events that have the health mailboxes, but as soon as I make the conf change and the change applies... 4624's stop coming in.

EDIT: OK, I found the issue. Full disclosure: some major egg on my face here. In my inputs.conf I have three active blacklists, and each is different in event code and scope. It turns out I coincidentally had a three distinct cases of bad Splunk-specific regex formatting that caused the "Message=" section to break. For my example below, I wanted a case insensitive match and wrapped the regex in (?i) rather than placing (?i) by itself before the section I wanted to match with case insensitivity. Bottom line is my bad regex in the Message key caused that portion of the line to be discarded, leaving only the EventCode key for evaluation. This is odd behavior to me, as I would expect the entire line to be discarded and not simply the bad key, as the end result was I ended up blacklisting all of that event code rather than failing to blacklist anything.

I think the issue I'm having might still qualify as a bug, maybe, but at least I now know I was mostly shooting myself in the foot!

Here's an example:

blacklist1 = EventCode="4624" Message="Account Name:\s+(?i(HealthMailbox\S+)|(\S+\$))"

Edit: here's what I did to fix the above.

blacklist1 = EventCode="4624" Message="Account Name:\s+(?:(?i)(HealthMailbox\S+)|(\S+\$))"
0 Karma
1 Solution

bwheelock
Path Finder

I think the issue I'm having might still qualify as a bug, maybe, but at least I now know I was mostly shooting myself in the foot!

OK, I found the issue. Full disclosure: some major egg on my face here. In my inputs.conf I have three active blacklists, and each is different in event code and scope. It turns out I coincidentally had a three distinct cases of bad Splunk-specific regex formatting that caused the "Message=" section to break. For my example below, I wanted a case insensitive match and wrapped the regex in (?i) rather than placing (?i) by itself before the section I wanted to match with case insensitivity. Bottom line is my bad regex in the Message key caused that portion of the line to be discarded, leaving only the EventCode key for evaluation. This is odd behavior to me, as I would expect the entire line to be discarded and not simply the bad key, as the end result was I ended up blacklisting all of that event code rather than failing to blacklist anything.

Here's an example that breaks the Message key causing the blacklist to exclude ALL EventCode key matches:

blacklist1 = EventCode="4624" Message="Account Name:\s+(?i(HealthMailbox\S+)|(\S+\$))"

Here's what I did to fix the above bad regex.

blacklist1 = EventCode="4624" Message="Account Name:\s+(?:(?i)(HealthMailbox\S+)|(\S+\$))"

View solution in original post

0 Karma

bwheelock
Path Finder

I think the issue I'm having might still qualify as a bug, maybe, but at least I now know I was mostly shooting myself in the foot!

OK, I found the issue. Full disclosure: some major egg on my face here. In my inputs.conf I have three active blacklists, and each is different in event code and scope. It turns out I coincidentally had a three distinct cases of bad Splunk-specific regex formatting that caused the "Message=" section to break. For my example below, I wanted a case insensitive match and wrapped the regex in (?i) rather than placing (?i) by itself before the section I wanted to match with case insensitivity. Bottom line is my bad regex in the Message key caused that portion of the line to be discarded, leaving only the EventCode key for evaluation. This is odd behavior to me, as I would expect the entire line to be discarded and not simply the bad key, as the end result was I ended up blacklisting all of that event code rather than failing to blacklist anything.

Here's an example that breaks the Message key causing the blacklist to exclude ALL EventCode key matches:

blacklist1 = EventCode="4624" Message="Account Name:\s+(?i(HealthMailbox\S+)|(\S+\$))"

Here's what I did to fix the above bad regex.

blacklist1 = EventCode="4624" Message="Account Name:\s+(?:(?i)(HealthMailbox\S+)|(\S+\$))"
0 Karma

nareshinsvu
Builder

Hope you have tried props and transforms.conf instead of blacklisting in inputs.conf?

0 Karma

bwheelock
Path Finder

Thanks for the input! For the moment I have avoided switching to that direction, but if it helps troubleshoot why the inputs functionality is not working as expected I can work on that. I presume the main value would be to confirm the regex is working? (Though I've validated the regex against event codes within Splunk already, using the rex command)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...