Wineventlog Filtration

anandhalagaras1 · ‎04-20-2021

Hi All,

Based on this query I want to filter out wineventlog before ingesting into Splunk. So that i can save some licenses. So the condition is something like for two of the sourcetypes and for the particular eventcodes (4624,4634) I want to filter out if the logs comes from Account Name= - & *$ for the particular set of hosts.

index=abc sourcetype IN (winev,wind) EventCode IN (4624,4634) Account_Name="-" Account_Name="*$" host=*xyz*

So do we need to write the blacklist stanza in the inputs.conf file or do we need to specify the props and transforms separately.

Actually for all Windows client machines we are ingesting the wineventlog with the help of Deployment master server.

So from Deployment master server we used to push the configurations to all windows machines so kindly help with the stanza for the same.

scelikok · ‎04-20-2021

Hi @anandhalagaras1,

You can use blacklist on your inputs like below, but this will not filter on host base. You may think about sending this stanza to specific hosts by creating a separate serverclass.

[WinEventLog:Security]
blacklist1 = EventCode = "4624" Message = "Account Name:\s+-"
blacklist2 = EventCode = "4624" Message = "Account Name:\s+*\$"

If this reply helps you an upvote and "Accept as Solution" is appreciated.

anandhalagaras1 · ‎04-21-2021

@scelikok

Thank you for your response. So i have created an app and enter the blacklist as mentioned below and planning to deploy for those particular hosts as you have explained.

[WinEventLog://Security]
disabled=0
current_only=1
blacklist1 = EventCode = "4624" Message = "Account Name:\s+-"
blacklist2 = EventCode = "4624" Message = "Account Name:\s+*\$"
blacklist3 = EventCode = "4634" Message = "Account Name:\s+-"
blacklist4 = EventCode = "4634" Message = "Account Name:\s+*\$"
renderXml=0
index = abc

But already I can see there is one inputs.conf file for [WinEventLog://Security] and there are around 10 blacklist mentioned for those [WinEventLog://Security] and these 10 blacklist is getting deployed to all the Windows client machines since in serverclass.conf file and i can see that they have whitelist as * for the hosts. So its deployed to all windows client machines.

So as mentioned above, If i deploy the Recently created app for the set of servers & for the eventcode (4624, 4634) will it affect the existing blacklist which is already present (i.e. 10 blacklist) since both of the source are same [WinEventLog://Security].

Kindly help to confirm the same. So based on that i will plan and deploy it.

anandhalagaras1 · ‎04-21-2021

@scelikok

Can you kindly check and help me out on the same.

anandhalagaras1 · ‎04-21-2021

@scelikok ,

Now I have created an app and deployed for those servers alone by mentioning in the serverclass.conf file but still I can see the logs are still getting ingested into Splunk.

So is there anything which I am missing.

[WinEventLog://Security]
disabled=0
current_only=1
blacklist1 = EventCode = "4624" Message = "Account Name:\s+-"
blacklist2 = EventCode = "4624" Message = "Account Name:\s+*\$"
blacklist3 = EventCode = "4634" Message = "Account Name:\s+-"
blacklist4 = EventCode = "4634" Message = "Account Name:\s+*\$"
renderXml=0
index = abc

I have also restarted the splunk services in all those client machines. But still I can see the logs are ingesting into Splunk.

So is it because of another inputs which is already present for the same source so is it not working? Kindly help me on the same.

Wineventlog Filtration

configuration

troubleshooting

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms