Re: Denylisting events for windows

lclayton95 · ‎11-20-2024

I am current denying chrome and edge processes from being indexed with the following regex

blacklist7 = EventCode="4673" Message="Audit\sFailure[\W\w]+Process\sName:[^\n]+(chrome.exe|msedge.exe)"

This works on majority of the forwarders. However some stragglers still send these events in event though they have the updated inputs deploy on their systems. My work around is to nullqueue the events in transforms.conf in the /etc/system/local directory. I believe this should be working at the forwarder level. Any ideas as to why this is happening.

Some perspective is i have 400 windows machines and only 5 of the systems still send in the events even after a deploy server reload.

richgalloway · ‎11-20-2024

I suspect two possibilities, although there may be others.

1) The five UFs do not have the right settings. Confirm using btool.

2) The regex is failing to match on the five UFs because of some difference(s) in the event log.

---
If this reply helps you, Karma would be appreciated.

lclayton95 · ‎11-20-2024

looks like they all have the same settings as the others. The logs look identical to the already ones that are blacklisted.

Denylisting events for windows

administration

configuration

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation