Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Blacklisting Wineventlog

anandhalagaras1
Contributor
‎04-23-2021 05:07 AM

Hi Team,

 

I got a requirement to filter out for the source [WinEventLog:Security] for 14 host (Host and Computer Name are same) & for this particular EventCode 4624,4634 if the condition Account Name : - & Account Name : *$ (actually * represent the host information 14 hosts) then it should filter out the logs before ingestion.

 

So initially we have a deployment master server in place and we have a separate customized app "windows_inputs" for pushing the windows parameters to all the client machines.

 

In the app "windows_inputs" we have a inputs.conf file and there is a stanza for source [Wineventlog:Security] already and in that stanza I can see around 11 blacklist already in place.

 

Sample:

[WinEventLog://Security]

disabled=0

current_only=1

blacklist = xyz

blacklist1 = abc

blacklist2 = def

blacklist3 = ghi

:

:

blacklist11 = xyz

renderXml=0

index = wineventlog

 

My requirement:

Host & ComputerName are same totally 14.

 

exmirr01

exmirr02

exmirr03

exmirr04

exmirr05

exmirr06

exmirr07

exmirr08

exmirr09

exmirr10

exmirr11

exmirr12

exmirr13

exmirr14

 

And the Account Names are like this.

 

Account Name : -

Account Name : exmirr01$

Account Name : exmirr02$

Account Name : exmirr03$

Account Name : exmirr04$

Account Name : exmirr05$

Account Name : exmirr06$

Account Name : exmirr07$

Account Name : exmirr08$

Account Name : exmirr09$

Account Name : exmirr10$

Account Name : exmirr11$

Account Name : exmirr12$

Account Name : exmirr13$

Account Name : exmirr14$

 

 

So how can I filter out the logs for the particular ComputerNames for those EventCodes if the Account Name as - & *$ ? So should I need to enter below in the same app "windows_inputs" under the inputs.conf something like continuation

 

blacklist12 = ... and so on

 

Or should I need move those 14 hosts outputs to HF server and from there it will reach the indexers. So if in this case can i place the props and transforms in the HF server to filter out for this condition? Kindly help me on this.

 

And also what would be the stanza we need to mention if I should I place in the inputs.conf and what would be the props and transforms if it is which should be placed in the Heavy Forwarder server?

 

So kindly help on my request.

Labels (2)
Labels
0 Karma
Reply

anandhalagaras1
Contributor
‎04-23-2021 06:59 AM

Can anyone help on my request.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-23-2021 07:30 AM

Hi @anandhalagaras1,

could you modify your question putting codes and data in "Inser/Edit Code sample"?

It's dificoult to read your question!

Anyway, let me understand: 

  • you have wineventlogs from 14 Windows servers
  • you want only events with EventCode=4624 (login) and 4634 (logout),
  • I have difficoulties to understand the requirement about the Accountname: maybe do you want to exclude the ones with AccountName=*$  ?

then, do you want to exclude the other events from indexing or only in search?

if at index time, I think that it isn't possible because in the same wineventlog events there are more values for Accountname and sometimes they are different (one of them could be *$).

If at search time, you can modify your regexes to extract the correct Accountname or use mvindex, e.g. to take the second value of Accountname you could use

| eval Accountname=mvindex(Accountname, 1)

(remember that the index starts from 0).

I hope I managed to address you, otherwise, give us more informations and surely someone will help you.

Ciao.

Giuseppe

0 Karma
Reply

anandhalagaras1
Contributor
‎04-23-2021 07:51 AM

@gcusello 

Thank you for your response.

My requirement is to save license. I want to filter out the logs before ingestion from 4624 & 4634 EventCodes for those 14 hosts if it contains Account Name as "-" & Account Name as "*$" in the Message field.

So do i need to write in the inputs.conf or should we need to create props and transforms?

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-23-2021 08:09 AM

Hi @anandhalagaras1,

you could insert in inputs.conf the requirement of whitelisting only EventCodes 4624 and 4634 and this is easy (for more infos see at https://docs.splunk.com/Documentation/Splunk/8.1.3/Admin/Inputsconf);

whitelist1 = EventCode=4624
whitelist2 = EventCode=4625

but remember that in tjhis way you're losing the choice to monitor other events (e.g. logfail 4625).

About the other requirement is more difficoult because, as I said and you surely know, windows eventlogs are very verbose and complicated, so in the same event there are more values for the Accountname field, so you cannot discard events with Accountname=*$ because, maybe in the other values of the same event there's what you're searcing for.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...