indows Event Security login filter at source not w...

rbal_splunk · ‎03-10-2016

I am ingesting Windows Event Security login into Splunk using option “renderXml” and need to filter some EventCodes based on the Keywords.
For example my input stanza is like below

[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
blacklist1 = EventCode="4648" Keywords="0x8020000000000000"
blacklist2 = EventCode="4672" Keywords=0x8020000000000000
blacklist3 = EventCode="4904" Keywords="0x8020000000000000"
blacklist4 = EventCode="4905" Keywords="??8020000000000000"
renderXml = true

In my case following blacklist is working- but None of the other once are working. What am I missing

blacklist4 = EventCode="4905" Keywords="??8020000000000000" >>>>>Working

following Not working

blacklist1 = EventCode="4648" Keywords="0x8020000000000000" >>>>>Not Working
blacklist2 = EventCode="4672" Keywords=0x8020000000000000 >>>>>Not Working
blacklist3 = EventCode="4904" Keywords="0x8020000000000000" >>>>>Not Working

What am I missing strong text

rbal_splunk · ‎03-10-2016

I performed some test and for following Events

Below are the various blacklist

blacklist 1 = EventCode="4648" Keywords="0x8020000000000000" >>>> Not filtered
blacklist2 = EventCode="4672" Keywords="\b0x8020000000000000" >>>>Filtered
blacklist3 = EventCode="4904" Keywords=\b0x8020000000000000 >>>>Not filtered
blacklist4 = EventCode="4905" Keywords="??8020000000000000" >>>>Filtered

blacklist4 = EventCode="4905" Keywords="??8020000000000000" >>>>Filtered

Result View for Above Data From EventViewer:

indows Event Security login filter at source not working for renderXml inputs

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...