Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filter windows events in Splunk

vad34
Path Finder
‎12-30-2015 06:20 AM

Hello
Can someone write here the steps and what files do i have to edit in order filter windows events ?
Tnx

Tags (1)
0 Karma
Reply

sover
Engager
‎12-30-2015 09:33 AM

Hey vad34,

You can use something like this in your inputs.conf:

[WinEventLog://Security]
disabled=0
current_only=1
blacklist1=EventCode="4662" Message=”Object Type:\s+(?!groupPolicyContainer)”

The reference I'm grabbing from is this blog post:
http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

This is a little more elegant, but it's specific to WinEventLog data. jmallorquin's solution is universal to any data source.

0 Karma
Reply

vad34
Path Finder
‎12-30-2015 11:38 AM

Yes , I restarted the whole splunk server

0 Karma
Reply

jmallorquin
Builder
‎12-31-2015 12:46 AM

Other silly question... what versión of universal forwarder are you running?

If you still have problems use my method 🙂

0 Karma
Reply

vad34
Path Finder
‎12-31-2015 12:49 AM

Hi , the version is 6.3.2

0 Karma
Reply

jmallorquin
Builder
‎12-31-2015 12:53 AM

And your stanza is 

[WinEventLog:Security] OR [WinEventLog://Security]

Becouse the first one is incorrect

0 Karma
Reply

vad34
Path Finder
‎12-31-2015 01:01 AM

my stanza is [WinEventLog:Security] , i will correct it now and check, update soon.

0 Karma
Reply

vad34
Path Finder
‎12-31-2015 01:02 AM

btw , only need to edit in /opt/splunk/etc/system/local/inputs.conf or also in win app - /opt/splunk/etc/apps/splunk_app_windows_infrastructure and in /opt/splunk/etc/apps/Splunk_TA_windows ?

0 Karma
Reply

jmallorquin
Builder
‎12-31-2015 01:05 AM

system local configuration persist over ALL

0 Karma
Reply

vad34
Path Finder
‎12-31-2015 01:08 AM

Ok will correct it now and update you..

0 Karma
Reply

vad34
Path Finder
‎12-30-2015 10:36 AM

i followed the blog, i don't have group policy so i configured this:

[WinEventLog:Security]
disabled = 0
current_only=1
blacklist1=EventCode="4726"
but still getting the events in splunk
any ideas?

0 Karma
Reply

sover
Engager
‎12-30-2015 10:41 AM

Silly question – have you restarted the forwarder?

0 Karma
Reply

jmallorquin
Builder
‎12-30-2015 06:26 AM

Hi,

Here you have a good example
https://answers.splunk.com/answers/335000/how-could-i-filter-network-firewall-data-using-a-f.html#an...

Hope help you

0 Karma
Reply

vad34
Path Finder
‎12-30-2015 09:24 AM

Tnx for quick reply,appreciate it!
i configured the following config in inputs.conf :

host = mysplunk
[splunktcp://9997]
[WinEventLog:System]
disabled = 0

only index events with these event IDs.

whitelist = 7036-7037

exclude these event IDs from being indexed.

blacklist = 0-7035,7037-10000
[WinEventLog:Security]
disabled = 0
whitelist = 0-1
blacklist = 4725-4800
I configured it in /opt/splunk/etc/system/local/inputs.conf , restarted splunk and still get unrelevant events
i copied to the /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf and to /opt/splunk/etc/apps/splunk_app_windows_infrastructure/local/inputs.conf , restarted splunk and still the same
Do i have to edit props.conf and transforms.conf ?
Tnx in advance

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎12-30-2015 11:57 AM

The above looks good. try running this command

   ./splunk cmd btool inputs list --debug

and checking the output to see if the inputs arent being overruled by another blacklist setting in conf files in other splunk apps.

0 Karma
Reply

vad34
Path Finder
‎12-31-2015 12:58 AM

Hi
Here is the output fragment of the debug command,
host = splunk-102
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf index = w indows
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf maxSocket s = 0
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf maxThread s = 0
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf port = 80 88
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = po rt
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf useDeploy mentServer = 0
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinPrint Mon://printer]
/opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf baseline = 1
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf dedicated IoThreads = 2
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf enableSSL = 1
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf evt_dc_na me =
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf evt_dns_n ame =
host = splunk-102
How can i define if the input arent being overruled?

Tnx

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...