Getting Data In

blacklist event codes - Splunk Enterprise v9.0.5

SRHunter
Explorer

Afternoon,

I've been beating my head against the keyboard the last few days trying to get this to work. I want to exclude these two event codes from being indexed. This is what my inputs.conf file looks like:

[default]
host = "hostname"

[splunktcp://9997]
connection_host = ip

[WinEventLog://Security]
disabled=0
current_only=1
blacklist=5447,6417

I save the file, restart splunk from Settings -> Server Controls -> Restart Splunk. Wait about 30 minutes or so to see if the event codes are being dropped from my index. No Joy. 

I've tried adding in sourcetype=WinEventLog:Security, changing the blacklist#, tried using this

[WinEventLog://Security]
disabled=0
current_only=1
blacklist1= EventCode ="5447" Message="A Windows Filtering Platform filter has changed*"

Still no joy.

 

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

No, it works a bit differently.

You can check this thread to see how various stages of event processing work but I'm not sure if it's clear enough at this point so I'll add a few words to it.

inputs.conf doesn't affect indexing. Indexing is what's happening after an event has been read by the input, got processed through whole ingestion pipeline and got to the indexing stage where it's getting written do disk (sometimes, depending on context, people use the term indexing for the whole ingestion pipeline after the input phase).

inputs.conf only configure... well, inputs. If you have UFs, each of those UFs have local wineventlog inputs which read events from their own local EventLog. Those events are (only partially) processed by the UF processed and are forwarded to the downstream component (either an intermediate forwarder or an indexer) using splunktcp:// output. And that downstream component receives them on its splunktcp:// input. So the wineventlog:// input settings don't apply to those events.

So in your case the blacklist entries should work but they will only apply to events you're pulling locally from your Splunk server's EventLog.

If you want to not have those events ingested you need to either blacklist them at each UF's input level (and that's the usual way to do it) or bend over backwards to create props/transforms to filter those events out.

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

Wait a second. What is your architecture? Because I have a feeling you're trying to do something different than you think. Are you running Splunk instance on Windows and ingesting local events? Or are you expecting to filter events forwarded by remote forwarders?

0 Karma

SRHunter
Explorer

Running Splunk Enterprise on Windows Server 2016. Ingesting from Universal Forwarders on our Windows clients. There are a handful of very noisy event codes that I don't want to ingest. I was under the impression that using a blacklist on the server's inputs.conf would just drop that data from being ingested, but I'm still seeing them when I search for the event codes.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

No, it works a bit differently.

You can check this thread to see how various stages of event processing work but I'm not sure if it's clear enough at this point so I'll add a few words to it.

inputs.conf doesn't affect indexing. Indexing is what's happening after an event has been read by the input, got processed through whole ingestion pipeline and got to the indexing stage where it's getting written do disk (sometimes, depending on context, people use the term indexing for the whole ingestion pipeline after the input phase).

inputs.conf only configure... well, inputs. If you have UFs, each of those UFs have local wineventlog inputs which read events from their own local EventLog. Those events are (only partially) processed by the UF processed and are forwarded to the downstream component (either an intermediate forwarder or an indexer) using splunktcp:// output. And that downstream component receives them on its splunktcp:// input. So the wineventlog:// input settings don't apply to those events.

So in your case the blacklist entries should work but they will only apply to events you're pulling locally from your Splunk server's EventLog.

If you want to not have those events ingested you need to either blacklist them at each UF's input level (and that's the usual way to do it) or bend over backwards to create props/transforms to filter those events out.

SRHunter
Explorer

Oooooh, I gotcha. Thank you for the info! If I don't have a deployment server for the UFs, how would I go about updating their configs to drop the event codes I don't want coming into the index?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Of course packaging this setting into an app is the easiest approach regardless of how you're gonna end up pushing that app to the UFs. And since you have no DS you're left with either manually copying the app to each computer and restarting the UF process or you can go whatever configuration management tool you already have (if any). Since we're talking Windows the most probable choice would he SCCM.

0 Karma

SRHunter
Explorer

Right on. I added the blacklist to my machine's UF outputs.conf last night as there wasn't an inputs.conf. I checked this morning and that event is still coming through. This is what the outputs.conf looks like.

 

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = "ip of splunk":9997

[WinEventLog://Security]
disabled=0
current_only=1
blacklist = 5447

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Again - close, but no banana 😉

But seriously, you need to filter on input on those UFs. Not on output.

So you must add those settings to inputs.conf on UFs. Your UFs are not outputting events to EventLog

SRHunter
Explorer

Alrighty, made an inputs.conf in my splunkuniversalforwarder/etc/system/local that looks like this:

[default]
host = "computername"

[splunktcp:9997]
connection_host = ip

[WinEventLog://Security]
disabled=0
current_only=1
blacklist1=5447

I'll bother you in a bit to see if it worked haha. I really appreciate your help!

0 Karma

isoutamo
SplunkTrust
SplunkTrust
On UF you shouldn’t have splunktcp input in inputs.conf.
The only exception is when you are using UF as an intermediate forwarder, but this is different story.

SRHunter
Explorer

I gotcha, thank you for the info!

0 Karma

SRHunter
Explorer

Son of a...lol I'll give that a shot and get back with you. Thanks for the replies!

0 Karma
Get Updates on the Splunk Community!

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...