Windows Event Log Blacklist not Blacklisting

jadams7325 · ‎08-05-2014

I'm running Splunk 6.1 as my indexer. I have a 6.1 universal forwarder setup on a windows box and I'm trying to filter what event logs get sent back to the indexer.

I added this stanza to inputs.conf in C:\Program Files\SplunkUniversalForwarder\etc\system\local:

[WinEventLog:Security]
disabled = 0
blacklist = 5145,5156

I then restarted the forwarder service and unfortunately I am still seeing 5145s and 5156s in my indexer. Am I missing something? I looked at splunkd.log but it didn't provide any insight on the issue.

Josh

Jeff_Lightly_Sp · ‎08-05-2014

Take a look at this excellent blog post:

http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

somesoni2 · ‎08-05-2014

This blog is a good read. Other references

http://answers.splunk.com/answers/29218/filtering-windows-event-logs

http://answers.splunk.com/answers/136559/filtering-wineventlogsecurity

They may have some extra filters, so adjust per your need.

Windows Event Log Blacklist not Blacklisting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation

Windows Event Log Blacklist not Blacklisting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!