Splunk Enterprise

Wineventlog Filtration

anandhalagaras1
Path Finder

Hi All,

Based on this query I want to filter out wineventlog before ingesting into Splunk. So that i can save some licenses. So the condition is something like for two of the sourcetypes and for the particular eventcodes (4624,4634) I want to filter out if the logs comes from Account Name= - & *$ for the particular set of hosts.

index=abc sourcetype IN (winev,wind) EventCode IN (4624,4634) Account_Name="-" Account_Name="*$" host=*xyz*

 

So do we need to write the blacklist stanza in the inputs.conf file or do we need to specify the props and transforms separately.

 

Actually for all Windows client machines we are ingesting the wineventlog with the help of Deployment master server.

So from Deployment master server we used to push the configurations to all windows machines so kindly help with the stanza for the same.

 

 

Labels (2)
0 Karma

scelikok
Champion

Hi @anandhalagaras1,

You can use blacklist on your inputs like below, but this will not filter on host base. You may think about sending this stanza to specific hosts by creating a separate serverclass.

[WinEventLog:Security]
blacklist1 = EventCode = "4624" Message = "Account Name:\s+-"
blacklist2 = EventCode = "4624" Message = "Account Name:\s+*\$"
If this reply helps you an upvote is appreciated.
0 Karma

anandhalagaras1
Path Finder

@scelikok 

Thank you for your response. So i have created an app and enter the blacklist as mentioned below and planning to deploy for those particular hosts as you have explained.

[WinEventLog://Security]
disabled=0
current_only=1
blacklist1 = EventCode = "4624" Message = "Account Name:\s+-"
blacklist2 = EventCode = "4624" Message = "Account Name:\s+*\$"
blacklist3 = EventCode = "4634" Message = "Account Name:\s+-"
blacklist4 = EventCode = "4634" Message = "Account Name:\s+*\$"
renderXml=0
index = abc

 

But already I can see there is one inputs.conf file for [WinEventLog://Security] and there are around 10 blacklist mentioned for those [WinEventLog://Security] and these 10 blacklist is getting deployed to all the Windows client machines since in serverclass.conf file and i can see that they have whitelist as * for the hosts. So its deployed to all windows client machines.

 

So  as mentioned above, If i deploy the Recently created app for the set of servers & for the eventcode (4624, 4634) will it affect the existing blacklist which is already present (i.e. 10 blacklist) since both of the source are same [WinEventLog://Security].

Kindly help to confirm the same. So based on that i will plan and deploy it.

 

0 Karma

anandhalagaras1
Path Finder

@scelikok 

Can you kindly check and help me out on the same.

0 Karma

anandhalagaras1
Path Finder

@scelikok ,

Now I have created an app and deployed for those servers alone by mentioning in the serverclass.conf file but still I can see the logs are still getting ingested into Splunk.

So is there anything which I am missing.

 

[WinEventLog://Security]
disabled=0
current_only=1
blacklist1 = EventCode = "4624" Message = "Account Name:\s+-"
blacklist2 = EventCode = "4624" Message = "Account Name:\s+*\$"
blacklist3 = EventCode = "4634" Message = "Account Name:\s+-"
blacklist4 = EventCode = "4634" Message = "Account Name:\s+*\$"
renderXml=0
index = abc

I have also restarted the splunk services in all those client machines. But still I can see the logs are ingesting into Splunk.

So is it because of another inputs which is already present for the same source so is it not working? Kindly help me on the same.

 

0 Karma

Tune In & Win!

Don't miss out on your
chance to take home free
prizes by helping our players
save the Splunk Cloudom!

Dungeons & Data
Monsters: Splunk O11y
Day Editions Games
stream live:
5/4 at 6:30pm PST
5/5 at 7:00pm PST
on