Hi,
Looking for some assistance with Regex to blacklist inputs.conf on Windows Systems. We modified inputs.conf located:
/opt/apps/splunk/etc/deployment-apps/Splunk_TA_windows/local/inputs.conf
Applied Regex :
blacklist1 = EventCode="4688" $XmlRegex="<Data Name='NewProcessName'>
(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe)|(C:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumCX.exe)
</Data>"
I attempted all available methods to blacklist the events above, but they did not take effect. Do we need to make modifications in order to successfully blacklist them?
Thanks
I think I just answered that. Splunk is only part of the answer. After all, Splunk can't show you what isn't indexed. Therefore, if Splunk doesn't find a blacklisted event then the blacklist probably is working. Confirm that by looking at Windows Event Viewer to see if a blacklisted event was generated.
@richgalloway
Thanks, As I see in some host changes has not reflected what could be the issue ?
Hi @richgalloway @gcusello ,
How can we utilize Btool on the host to troubleshoot whether the Universal Forwarder (UF) is utilizing an inputs.conf file other than the one intended for the Windows_TA? Despite applying the correct Regex filters, we are still encountering issues with events not being properly blacklisted.
ThanQ
Sign in to the UF's CLI and run this btool command. It will show which settings will take effect at the next restart and the file each setting comes from.
splunk btool --debug inputs list
Hi @richgalloway @gcusello ,
When I ra n splunk btool --debug check on the host, I observe the following;
C:\Program Files\SplunkUniversalForwarder\bin>splunk btool --debug check
No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\app.conf
Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\alert_actions.conf
Invalid key in stanza [webhook] in C:\Program Files\SplunkUniversalForwarder\etc\system\default\alert_actions.conf, line 229: enable_allowlist (value: false).
No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\system\default\app.conf
No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\windows_test\local\app.conf
windows_test is the app where I had deployed the configurations.
Thanks
The lack of .spec files for app.conf should be unrelated to the problem you are having. It means btool can't check the syntax of app.conf, but Splunk still can process the contents of that file. Also, the blacklist is in inputs.conf so that's another reason why this is an unrelated issue.
Hi,
I have been struggling to fix this blacklist in windows_ta app inputs.conf in the DS and deployed it to clients but it not working as expected, please help me in fixing this issue
Still logs are ingesting..
Thanks Eagerly waiting for your answers....
Please heed the note at the top of the file.
# DO NOT EDIT THIS FILE!
# Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
# To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
# into ../local and edit there.
Any changes made to a default file will be lost when a new version of the app is installed. All changes should be made in a local file.
Hi @AL3Z ,
as you can read at https://docs.splunk.com/Documentation/Splunk/9.1.1/admin/Inputsconf , blacklist uses a regex, so if in your logs there isn't the exact string EventCode="4662" with equal and quotes, the filter doesn't work.
Use regex101 (as I did in my first answer) to find the regex to filter your logs.
Ciao.
Giuseppe
It's not 4662 it's 4688.
Nope, I have added $xmlRegex followed by your regex
Is this a right one as you mentioned in the regex101 if not pls correct it
blacklist5 = EventCode="4688" Message="\<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe)"
Thanks
Hi @AL3Z,
don't use quotes:
blacklist5 = \<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe)
Ciao.
Giuseppe
Hi @gcusello ,
Need an help from you to decode the xml regex we have this C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe in NewProcessName and ParentProcessName
tried regex: its not excluding the events even after placing these both combinations.
blacklist4 = $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="NewProcessName">(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe)<\/Data>%
blacklist5= $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="ParentProcessName">(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe)<\/Data>%
Sample event:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-11-27T11:53:55.027269400Z'/><EventRecordID>151278170</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='10472'/><Channel>Security</Channel><Computer>xyz.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>Admin$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x36ec</Data><Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x2888</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>
Thanks..
Hi @gcusello ,
This regex is not working ! Do we need to use followed by EventCode="4688" Message=" " to get it work ?
Hi @AL3Z ,
it's a regex, instead these are Splunk fields: try only the regex.
the EventCode=4688 is inside the regex, so you don't need to repeat it.
Ciao.
Giuseppe
Hi @gcusello ,
I had gone through your one of the answer in the post
https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-inputs-conf/td-p/598999
, But in my case there is no Transforms.conf in my windows_ta app,H ow we can apply the same in my case and stop the logs from ingesting into splunk ?
Thanks
Hi @AL3Z,
blacklisting is in inputs.conf.
transformas.conf and props.conf is the second solution described in the above link used to filter logs on Indexers or Heavy Forwarders (if present), when you cannot filter logs on the Universal forwarder.
It isn't your situation: you have to find the exact regex, please try with my first regex, to insert in the blacklist option of your inputs.conf
Ciao.
Giuseppe
\<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe)"
Thanks..
Hi @AL3Z,
this regex seems to not work,
Did you tried the one I shared (that works on rgex101)?
Ciao.
Giuseppe
The RHS of the blacklist setting must be in key=regex format where key is one of Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName, TaskCategory, Type, or User; and regex is a regular expression enclosed in delimiters (quotes can be a delimiter).