Splunk Search

How do I filter Event Log with blacklists in inputs.conf

alexrivero
New Member

I'm trying to create a blacklist for several Event IDs to exclude any events with multiple user accounts. For example, I'd like to filter EventID 4688 for any logs where the Account Name is Blank, any service account that begins with svc, any computer account that ends with $, etc.

I've tried the following, but I don't think either syntax is correct and i'm not sure how to include wildcards.

blacklist1=EventCode="4624,4625,4688" Message="Account Name:\s+$s+"
blacklist2=EventCode=%^(4624|4625|4688)$% User=%svc% %$% % %

NOTE: The 2 blacklist lines are the formats I've tried. I did not have both lines running at the same time.

What i'm looking for is essentially something like this:

Blacklist = EventID1, 2, 3 Account=*$, svc*, *(blank)*

I've tried using regex101 and regexer, but I feel i'm just not grasping the syntax of RegEx in general. Any help would be appreciated!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Understanding regular expressions (even a little) is critical to getting blacklists to work.

There is one wildcard character in regexes: .. It (and just about anything else) can be following by a quantifier that says how many of that character are allowed. * means any number, + means at least one, and ? means one or none. There are other quantifiers, but that's a more advanced topic.

There are some special characters to know about. $ means end-of-line, ^ means beginning-of-line, | separates optional matches, and '\' cancels a special character. Anything that is not a special character or quantifier is literal text.

Armed with that information, your example blacklist1 would match only an event with an EventCode field that contains 3 numbers (not gonna happen). Blacklist2 is not valid because it contains two strings without matching keywords.

Try these:
blacklist1 = EventCode="4624|4625|4688" Message="Account Name:\s+\$.*"
blacklist2 = EventCode="4624|4625|4688" User=".*\$|svc.*|.*\s+.*"

---
If this reply helps you, Karma would be appreciated.
0 Karma

alexrivero
New Member

So i've tried both of your options, but I'm still getting events coming in with Account Names/User names listed in the blacklist (computer$, svc, blank, etc)

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Closely examine the Message and User fields of the unwanted events. Make sure the contents match the regular expressions in your blacklists. If they don't, adjust the regexes as needed.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...