Knowledge Management

Why won't Windows filter work?

Charlie5
Loves-to-Learn

Hello Splunk Community,

I am having some difficulty getting Windows event log filters to work properly. Whatever I have specified in the inputs.conf of Splunk_TA_windows is being ignored, I can tell because there are significant volumes of events present that are not in the whitelist stanzas. I have even tried blocklisting very large numbers of these unwanted event codes explicitly (in blacklist1) without success.

I can see the app successfully deploy to my clients in internal logs when I push changes to the server class or add-on, and those that I have verified have these exact stanza settings on them are still sending event logs that are not on the whitelist or are explicitly blocklisted.

I am using 8.6.0 of the Windows add-on and UFs on 8x and 9x versions (hundreds). To make matters worse, ingest actions are also not working properly, I have tried adding what is effectively the same regex as an the ingest action (blacklist1 on Splunk Cloud), but am still seeing these unwanted codes.

Is anyone else having this problem, or am I doing something wrong? Also, I have the format as Xml (as I understand it XML logs are typically smaller in size then their non-XML counterparts. Does this mean in the advanced format filters I need to use "$XmlRegex=" or can I still use the EventCode=" regex?

[WinEventLog://Security]
renderXml = true
whitelist1=EventCode="(4740|644|104|1100|4624|528|4625|529|4776|680|681|4720|624|4732|636|4728|632|4756|660|4771|675|4730|634|4734|638|4758|662|1102|517|4722|626|4726|630|4768|672|676|4769|673|4765|4766|5145)"
blacklist1=$XmlRegex="EventID>(53506|53504|40970|40962|40961|36928|... (this blocklist goes on and on)

Labels (1)
0 Karma

Charlie5
Loves-to-Learn

@caiosalonso 
I've pushed the stanzas as you recommended but still not luck, I'm still getting event codes that I explicitly have blocklisted. I am going to try another ingest action that is limited to less event ids, but I still can't get it to pull a sample from the sourcetype.

Do you know if it needs to pull a sample for the ingest action to work once implemented? Or is there something, like a component in internal logs, that tracks the ingest action actually working?

0 Karma

Charlie5
Loves-to-Learn

Thank you for the suggestion, I will try switching to this format and let you know how it goes.

0 Karma

caiosalonso
Path Finder

Hi,

I have searched some documentation related to filtering Windows data, and I would reccomend you using the format with "$XmlRegex". Have you already tried using both whitelist and blacklist with the "$XmlRegex" option?

I guess your stanza should be something similar to:

[WinEventLog://Security]
renderXml = true
whitelist1 = $XmlRegex="<EventID>(4740|644|104|1100|4624|528|4625|529|4776|680|681|4720|624|4732|636|4728|632|4756|660|4771|675|4730|634|4734|638|4758|662|1102|517|4722|626|4726|630|4768|672|676|4769|673|4765|4766|5145)<\/EventID>"
blacklist1 = $XmlRegex="<EventID>(53506|53504|40970|40962|40961|36928|...)<\/EventID>"

 

0 Karma

Charlie5
Loves-to-Learn

I've tried both, and rendering in non-XML format and filtering using the non-XML format for blacklists/whitelists, still no luck.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...