Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Windows Eventlog Blacklist Failing

pizzor
Path Finder
‎06-09-2021 08:11 AM

Having issues with a blacklist of mine. Trying to filter out specific instances of an event code using regex. When I test out the pattern with regexr for example, it matches without issue. But the events are coming in regardless.

 

My blacklist would be:

 

blacklist7 = EventCode = "4672" Message = "Account\sName\:\s+ACCOUNTNAME\$"

 

 

And an example event would be:

 

06/09/2021 07:55:08 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=HOSTNAME
TaskCategory=Special Logon
OpCode=Info
RecordNumber=3400724885
Keywords=Audit Success
Message=Special privileges assigned to new logon.

Subject:
	Security ID:		NT AUTHORITY\SYSTEM
	Account Name:		ACCOUNTNAME$
...

 

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pizzor
Path Finder
‎06-29-2021 11:50 AM

Seems I'm just not careful enough and my stanza name had a typo. The blacklist works as intended once I corrected that.

View solution in original post

Reply
Solved! Jump to solution
Solution

pizzor
Path Finder
‎06-29-2021 11:50 AM

Seems I'm just not careful enough and my stanza name had a typo. The blacklist works as intended once I corrected that.

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-09-2021 10:11 AM

Perhaps it is a typo just in the question, but the EventCode value in the blacklist does not match that in the event.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

pizzor
Path Finder
‎06-09-2021 10:17 AM

It is, sorry. I am actually doing the same filter for similar events on both event codes 72 and 27, and got my examples mixed up. I'll correct that.

0 Karma
Reply
Solved! Jump to solution

alemarzu
Motivator
‎06-09-2021 08:52 AM

Hi @pizzor 

Trying to filter WinEventLogs with more than EventCodes is limited by some key fields. Its not a free regex that you can drop there sort to speak.

You can find this set of valid keys in here: https://docs.splunk.com/Documentation/Splunk/8.2.0/Admin/Inputsconf#Event_Log_allow_list_and_deny_li...

Hope it helps.

0 Karma
Reply
Solved! Jump to solution

pizzor
Path Finder
‎06-09-2021 09:11 AM

Thanks, but the key I am using (Message) is listed. The "Account Name" piece also does show up in the Message field in the final extract results as well.

Splunk documentation also lists what I am trying to do as a example on this doc, under Example 5:

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata?r=...

0 Karma
Reply
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
Top