Hello
we are trying to add filter on the input of windows event log.
the input conf is:
[WinEventLog://Security]
disabled = 0
index = windows
blacklist1 = 5145,5156
blacklist2 = EventCode=4672 SubjectUserName="exchange\$"
renderXml=true
suppress_text=true
supress_sourcename=true
supress_keywords=true
suppress_task=true
suppress_opcode=true
blacklist1 is working good, but blacklist2 is not working.
the target is to filter out the event id 4672 with the SubjectUserName equals to "exchange$".
any ideas?
Thank you
On UF? Unless you write your own input program, I don't think so. You can filter them at first "heavy" component (heavy forwarder or indexer) in the path.
See https://docs.splunk.com/Documentation/Splunk/8.2.5/Forwarding/Routeandfilterdatad
blacklist2 isn't working because SubjectUserName is not a supported key.
From inputs.conf.spec:
The key must belong to the set of valid keys provided below.
* Category, CategoryString, ComputerName, EventCode, EventType, Keywords,
LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName,
TaskCategory, Type, User
Hi
Thank you for your answer.
this is an example for the log I want to filter out:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{GUID}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-03-27T06:12:23.991443700Z'/><EventRecordID>4172712244</EventRecordID><Correlation ActivityID='ID'/><Execution ProcessID='1096' ThreadID='1486900'/><Channel>Security</Channel><Computer>exchange</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>SID</Data><Data Name='SubjectUserName'>exchange$</Data><Data Name='SubjectDomainName'>AD</Data><Data Name='SubjectLogonId'>0x63767d73d</Data><Data Name='PrivilegeList'>SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeDebugPrivilege</Data></EventData></Event>
will the field SubjectUserName be mapped to User?
Thank you
No, at the input level nothing is "mapped". Nothing is even parsed apart from splitting the input stream into events.
understood.
so it is possible to filter these kind of events?
On UF? Unless you write your own input program, I don't think so. You can filter them at first "heavy" component (heavy forwarder or indexer) in the path.
See https://docs.splunk.com/Documentation/Splunk/8.2.5/Forwarding/Routeandfilterdatad