Re: Schedule or Auto-trigger blacklist

michaeler · ‎07-28-2021

Every month when software updates go out, my Enterprise deployment exceeds the license. I get overloaded with Event Code 4663. After the first time, I just added it to the blacklist in inputs.conf and problem solved.

I'd like to leave that EventCode active and only disable it when the majority of systems are updating. I know I can do this manually but am trying to find if there is a way to automatically enable the blacklist based on date? Or to set a trigger based on a specific series of event codes that indicate software updates?

If anyone has tried this before I'm very curious if there's a solution?

venkatasri · ‎07-29-2021

@michaeler Nope its just an idea!

venkatasri · ‎07-29-2021

Hi @michaeler

You can schedule an Alert to monitor when updates starts based on specific EventCode or Pattern in logs the alerts 'alert Action' shall be a script which in turn change the blacklist settings of inputs conf which further needs to be pushed to windows UF clients.

As the script gets executed locally on SH's it shall be able to reach out your Deployment Server where your inputs conf exist to modify through SSH or if you SH Deployer and DeploymentServer are co-located it would be easier.

Hope this helps!

michaeler · ‎07-29-2021

Sounds like a reasonable solution. Have you done this before or just an idea? If you have done it before, any chance you could share the script with me?

Schedule or Auto-trigger blacklist

administration

configuration

troubleshooting

using Splunk Enterprise

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?