Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

indows Event Security login filter at source not working for renderXml inputs

rbal_splunk
Splunk Employee
Splunk Employee
‎03-10-2016 12:46 PM

I am ingesting Windows Event Security login into Splunk using option “renderXml” and need to filter some EventCodes based on the Keywords.
For example my input stanza is like below

[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
blacklist1 = EventCode="4648" Keywords="0x8020000000000000"
blacklist2 = EventCode="4672" Keywords=0x8020000000000000
blacklist3 = EventCode="4904" Keywords="0x8020000000000000"
blacklist4 = EventCode="4905" Keywords="??8020000000000000"
renderXml = true

In my case following blacklist is working- but None of the other once are working. What am I missing

blacklist4 = EventCode="4905" Keywords="??8020000000000000" >>>>>Working

following Not working

blacklist1 = EventCode="4648" Keywords="0x8020000000000000" >>>>>Not Working
blacklist2 = EventCode="4672" Keywords=0x8020000000000000 >>>>>Not Working
blacklist3 = EventCode="4904" Keywords="0x8020000000000000" >>>>>Not Working

What am I missing strong text

0 Karma
Reply

rbal_splunk
Splunk Employee
Splunk Employee
‎03-10-2016 12:51 PM

I performed some test and for followingalt text Events

Below are the various blacklist

blacklist 1 = EventCode="4648" Keywords="0x8020000000000000" >>>> Not filtered
blacklist2 = EventCode="4672" Keywords="\b0x8020000000000000" >>>>Filtered
blacklist3 = EventCode="4904" Keywords=\b0x8020000000000000 >>>>Not filtered
blacklist4 = EventCode="4905" Keywords="??8020000000000000" >>>>Filtered

blacklist4 = EventCode="4905" Keywords="??8020000000000000" >>>>Filtered

Result View for Above Data From EventViewer:

Preview file
231 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...