@richgalloway 
Thanks, As I see in some host changes has not reflected what could be the issue ?

Hi @richgalloway @gcusello ,

How can we utilize Btool on the host to troubleshoot whether the Universal Forwarder (UF) is utilizing an inputs.conf file other than the one intended for the Windows_TA? Despite applying the correct Regex filters, we are still encountering issues with events not being properly blacklisted.

ThanQ

Sign in to the UF's CLI and run this btool command.  It will show which settings will take effect at the next restart and the file each setting comes from.

splunk btool --debug inputs list

Hi @richgalloway @gcusello ,
When I ra n splunk btool --debug check on the host, I observe the following; 

C:\Program Files\SplunkUniversalForwarder\bin>splunk btool --debug check

No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\app.conf
Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\alert_actions.conf
Invalid key in stanza [webhook] in C:\Program Files\SplunkUniversalForwarder\etc\system\default\alert_actions.conf, line 229: enable_allowlist (value: false).
No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\system\default\app.conf
No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\windows_test\local\app.conf

windows_test is the app where I had deployed the configurations.

Thanks 

The lack of .spec files for app.conf should be unrelated to the problem you are having.  It means btool can't check the syntax of app.conf, but Splunk still can process the contents of that file.  Also, the blacklist is in inputs.conf so that's another reason why this is an unrelated issue.

Hi,

I have been struggling to fix this blacklist in windows_ta app inputs.conf in the DS and deployed it to clients but it not working as expected, please help me in fixing this issue

Still logs are ingesting..

Thanks Eagerly waiting for your answers....

Please heed the note at the top of the file.

# DO NOT EDIT THIS FILE!
# Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
# To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
# into ../local and edit there.

Any changes made to a default file will be lost when a new version of the app is installed.  All changes should be made in a local file.

Hi @AL3Z ,

as you can read at https://docs.splunk.com/Documentation/Splunk/9.1.1/admin/Inputsconf , blacklist uses a regex, so if in your logs there isn't the exact string EventCode="4662"  with equal and quotes, the filter doesn't work.

Use regex101 (as I did in my first answer) to find the regex to filter your logs.

Ciao.

Giuseppe

It's not 4662 it's 4688.

Nope, I have added $xmlRegex followed by your regex 

Is this a right one as you mentioned in the regex101 if not pls correct it 

blacklist5 = EventCode="4688" Message="\<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe)"

Thanks

Hi @AL3Z,

don't use quotes:

blacklist5 = \<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe)

Ciao.

Giuseppe

Hi @gcusello ,

Need an help from you to decode the xml  regex we have this  C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe in NewProcessName and ParentProcessName 

tried regex: its not excluding the events even after placing these both combinations.

blacklist4 = $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="NewProcessName">(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe)<\/Data>%

blacklist5= $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="ParentProcessName">(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe)<\/Data>%

Sample event:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-11-27T11:53:55.027269400Z'/><EventRecordID>151278170</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='10472'/><Channel>Security</Channel><Computer>xyz.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>Admin$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x36ec</Data><Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x2888</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>

Thanks..

Hi @gcusello ,

This regex is not working ! Do we need to use  followed by  EventCode="4688" Message="  "  to get it work ?

Hi @AL3Z ,

it's a regex, instead these are Splunk fields: try only the regex.

the EventCode=4688 is inside the regex, so you don't need to repeat it.

Ciao.

Giuseppe

Hi @gcusello ,

I had gone through your one of the answer in the post 
 https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-inputs-conf/td-p/598999
, But in my case there is no Transforms.conf in my windows_ta app,H ow we can apply the same in my case and stop the logs from ingesting into splunk ?

Thanks

Hi @AL3Z,

blacklisting is in inputs.conf.

transformas.conf and props.conf is the second solution described in the above link used to filter logs on Indexers or Heavy Forwarders (if present), when you cannot filter logs on the Universal forwarder.

It isn't your situation: you have to find the exact regex, please try with my first regex, to insert in the blacklist option of your inputs.conf

Ciao.

Giuseppe

\<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe)"

Thanks..

Hi @AL3Z,

this regex seems to not work,

Did you tried the one I shared (that works on rgex101)?

Ciao.

Giuseppe

The RHS of the blacklist setting must be in key=regex format where key is one of Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName, TaskCategory, Type, or User; and regex is a regular expression enclosed in delimiters (quotes can be a delimiter).