I am beaten.. I cannot get this blacklist regex to work.
We have a Windows host producing a ton of 4656 errors all for "Desktop.ini". I know the cause, (bad NTFS setup) but the server team is in no hurry to fix it, and 50+ GB of license a day is being eaten by these.
Seems the blacklist I put in place filters all 4656's.
Here is what I have in the Windows_TA stanza. It should be noted that blacklist3 works.
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode="5156" Message="Application Name:\s+(?!.*splunkd.exe)"
blacklist4 = EventCode="4656" Message="Object Name:\s+.(?!.*desktop.ini)"
index = idx_security
renderXml=false
index = idx_security
renderXml=false
The raw events look like this.
07/19/2016 09:50:47 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName=host.domain.local
TaskCategory=File System
OpCode=Info
RecordNumber=2060110708
Keywords=Audit Failure
Message=A handle to an object was requested.
Subject:
Security ID: DOMAIN\svc_splunk
Account Name: svc_splunk
Account Domain: DOMAIN
Logon ID: 0xD2B5B783
Object:
Object Server: Security
Object Type: File
***Object Name: U:\Users\redacted\desktop.ini***
Handle ID: 0x0
Resource Attributes: -
Process Information:
Process ID: 0x6dc
Process Name: C:\Windows\explorer.exe
I think the (one) problem is the !
in (?!
. It basically means you don't want "desktop.ini" to be there. So if it's there, your regex will not match. Try replacing the !
with :
like this:
blacklist4 = EventCode="4656" Message="Object Name:\s+.(?:.*desktop.ini)"
In fact you don't need the (?:)
grouping at all. You could just have:
blacklist4 = EventCode="4656" Message="Object Name:\s+.*desktop.ini"
To make it a bit tighter you could replace the .
with the non-space character class \S
:
blacklist4 = EventCode="4656" Message="Object Name:\s+\S*desktop.ini"
Also you technically should escape the .
in desktop.ini
since that means a real dot:
blacklist4 = EventCode="4656" Message="Object Name:\s+\S*desktop\.ini"
To try things out a good approach is to open a search and starts with something simple like:
index=whatever sourcetype=whatever EventCode=4656 | regex Message="desktop.ini"
(update the index and sourcetype as relevant) That should return at least the events you want to exclude. If that works for you, use that for your blacklist. If you are worried this is too generic, you can then build up the regex to something a little more restrictive, step by step, taking a step back whenever it stops matching, until you have something that works and that you believe is restrictive enough to match only the things you want to match. Once you're there, you can update your blacklist and hopefully it should work.
I hope that helps.
I think the (one) problem is the !
in (?!
. It basically means you don't want "desktop.ini" to be there. So if it's there, your regex will not match. Try replacing the !
with :
like this:
blacklist4 = EventCode="4656" Message="Object Name:\s+.(?:.*desktop.ini)"
In fact you don't need the (?:)
grouping at all. You could just have:
blacklist4 = EventCode="4656" Message="Object Name:\s+.*desktop.ini"
To make it a bit tighter you could replace the .
with the non-space character class \S
:
blacklist4 = EventCode="4656" Message="Object Name:\s+\S*desktop.ini"
Also you technically should escape the .
in desktop.ini
since that means a real dot:
blacklist4 = EventCode="4656" Message="Object Name:\s+\S*desktop\.ini"
To try things out a good approach is to open a search and starts with something simple like:
index=whatever sourcetype=whatever EventCode=4656 | regex Message="desktop.ini"
(update the index and sourcetype as relevant) That should return at least the events you want to exclude. If that works for you, use that for your blacklist. If you are worried this is too generic, you can then build up the regex to something a little more restrictive, step by step, taking a step back whenever it stops matching, until you have something that works and that you believe is restrictive enough to match only the things you want to match. Once you're there, you can update your blacklist and hopefully it should work.
I hope that helps.
Thanks Gabriel,
Simplifacation was the answer.
This one worked.
blacklist4 = EventCode="4656" Message="(d|D)esktop.ini"