Having issues with a blacklist of mine. Trying to filter out specific instances of an event code using regex. When I test out the pattern with regexr for example, it matches without issue. But the events are coming in regardless.
My blacklist would be:
blacklist7 = EventCode = "4672" Message = "Account\sName\:\s+ACCOUNTNAME\$"
And an example event would be:
06/09/2021 07:55:08 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=HOSTNAME
TaskCategory=Special Logon
OpCode=Info
RecordNumber=3400724885
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: ACCOUNTNAME$
...
Seems I'm just not careful enough and my stanza name had a typo. The blacklist works as intended once I corrected that.
Seems I'm just not careful enough and my stanza name had a typo. The blacklist works as intended once I corrected that.
Perhaps it is a typo just in the question, but the EventCode value in the blacklist does not match that in the event.
It is, sorry. I am actually doing the same filter for similar events on both event codes 72 and 27, and got my examples mixed up. I'll correct that.
Hi @pizzor
Trying to filter WinEventLogs with more than EventCodes is limited by some key fields. Its not a free regex that you can drop there sort to speak.
You can find this set of valid keys in here: https://docs.splunk.com/Documentation/Splunk/8.2.0/Admin/Inputsconf#Event_Log_allow_list_and_deny_li...
Hope it helps.
Thanks, but the key I am using (Message) is listed. The "Account Name" piece also does show up in the Message field in the final extract results as well.
Splunk documentation also lists what I am trying to do as a example on this doc, under Example 5: