Getting Data In

input.conf whitelist for windows eventlogs

cannarella
Engager

We are trying to capture failed logons from our AD server but only want to capture specific event logs.

We are using the Splunk Deployment so we don't have to configure each of the 20 servers as we install the Universal Forwarder. I have done a lot of reading through the online docus and searching here but can't figure out how to whitelist only specific codes so we don't use up all of our license on data we don't want to see. Here is a snippet of the input.conf that I am pushing out with the deployment server. This is in the Program Files\Splunk\etc\deployment-apps\Splunk_TA_windows\local folder where it is pushed out. I just need a little assistance on what I am missing.

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = "EventCode = 4624,4625,4648,4649,4723,4724,4727,4728-4730,4737,4754,4755-4758,4720,4722-4726,4738,4740,4767,4771,4780,4781,5378"

Help me stop pulling my hair out.

1 Solution

yannK
Splunk Employee
Splunk Employee

You can use :

whitelist = 4624,4625,4648,4649,4723,4724,4727,4728-4730,4737,4754,4755-4758,4720,4722-4726,4738,4740,4767,4771,4780,4781,5378

and make sure that you restarted to apply, and that you are on version 6.0.* or 6.1.*

View solution in original post

yannK
Splunk Employee
Splunk Employee

You can use :

whitelist = 4624,4625,4648,4649,4723,4724,4727,4728-4730,4737,4754,4755-4758,4720,4722-4726,4738,4740,4767,4771,4780,4781,5378

and make sure that you restarted to apply, and that you are on version 6.0.* or 6.1.*

wrangler2x
Motivator

This blog entry shows that on Splunk 6 you can just enter the EventCode numbers as shown here by @yannK -- http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/

0 Karma

wrangler2x
Motivator

@yannK

I'm having trouble with this. I implemented it in a deployment app, and just assumed it was working. But today I restarted a forwarder which gave me this error:

Invalid key in stanza [WinEventLog:Security] in C:\Program Files\Splunk\etc\apps\OIT_WINEVENT_DC_INDEX_WIN_01\default\inputs
.conf, line 23: whitelist (value: 528-535,539-540,624-626,632,636,659,642-644,660,675-676,671-672,680-681,1100,1102,1104,1108,4612,4616,46
18,4624-4625,4634,4720,4728,4732,4738,4740,4756,4767-4768,4771-4772,4776,5461 )

Here is the stanza in question (from the deployment app inputs.conf):

[WinEventLog:Security]
disabled = 0
index= winevent_dc_index
whitelist = 528-535,539-540,624-626,632,636,659,642-644,660,675-676,671-672,680-681,1100,1102,1104,1108,4612,4616,4618,4624-4625,4634,4720,4728,4732,4738,4740,4756,4767-4768,4771-4772,4776,5461

The forwarder is running on 6.1.4 code. Should it not work there? Or do you see something wrong with this?

0 Karma

spayneort
Contributor

Try using:

[WinEventLog://Security]

instead of:

[WinEventLog:Security]

0 Karma

yannK
Splunk Employee
Splunk Employee

Hi Wrangler2x.
The feature existed on splunk 6.1.4
http://docs.splunk.com/Documentation/Splunk/6.1.4/Data/MonitorWindowsdata
it should be fine.

can it be a typo in the string

check" 46 18," in the middle

Or a text file encoding issue, try to edit the file with a code editor (notepad++ by example on window), and look for linebreaks or special characters.

0 Karma

wrangler2x
Motivator

The 46 18 is in the copy from an msdos window to the splunk Answers page of the error output. In the actual whitelist above, you can see 4618. There are no embedded spaces in the whitelist anywhere. I have looked at the file in notepad++ and there are no embedded line breaks or special characters.

I also just re-verified that this is 6.1.4, and it is a heavy forwarder.

Also, the error is Invalid key in stanza and that seems like it does not recognize the term whitelist.

0 Karma

Shayde_Nofziger
Engager

Did you ever find an answer to your issue? I am experiencing the same and can't seem to find any info online.

0 Karma

wrangler2x
Motivator

No. I'm guessing that it is not actually supported until 6.3.x, which I have yet to upgrade to. In the meantime, I've gone back to using the old drop/pass via props.conf and transforms.conf, like this:

[WinEventCodeSecDrop]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[WinEventCodeSecPass]
REGEX = (?m)^EventCode=(512|513|517|520|528|529|530|531|532|533|534|535|539|540|624|625|626|632|636|659|642|643|644|660|675|676|671|672|680|681|1100|1102|1104|1108|4612|4616|4618|4624|4625|4634|4720|4728|4729|4732|4733|4738|4740|4756|4757|4767|4768|4771|4772|4776|5461)[^0-9]
DEST_KEY = queue
FORMAT = indexQueue
0 Karma

ITICSNORTH
Explorer

Hi,

Even we are planning for the same thing in our environment can u help me out on this .

i have deployment app on my splunk server and 60 windows server so to make changes in all the server at one time i need to go in to the app folder and in that input.conf ?

can i configure blacklist and whitlist same time?

is there any limitation in creating whitelist and blacklist ?

0 Karma

kjhanson
Path Finder

If you're using your Splunk server as a deployment server then you would edit the inputs.conf file in opt/splunk/etc/deploymentapps//local/inputs.conf and then once you made the change and restarted the server that configuration would automatically be pushed out.

Yes you can configure whitelists and blacklists at the same time. Just remember that the blacklists take precedent.

Splunk can handle up to 10 blacklists and whitelists. This is a good reference: http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/MonitorWindowsdata#Create_advanced_filters_wi...

0 Karma

yannK
Splunk Employee
Splunk Employee

and use inputs.conf not input.conf.
to verify the result use the btool command.

splunk cmd btool inputs list --debug

Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...