Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex challenge: How can I blacklist all 4662 events unless they are related to group policy or DNS?

dw385
Explorer
‎08-03-2017 05:16 PM

I'm struggling to find the proper regex to adjust the blacklist for 4662 events.
I want to blacklist all 4662 events unless they are related to group policy or DNS.

I've tried a number of combinations. My latest running example is:

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!(groupPolicyContainer|dnsNode))"

Using this I get back no 4662 events.
So far while trying to research and understand RegEx I haven't figured out how to make this work.

Reply

swong_splunk
Splunk Employee
Splunk Employee
‎12-20-2017 02:51 PM

Give this a try:

blacklist1 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|dnsNode))"

Reply

bheemireddi
Communicator
‎08-03-2017 07:40 PM

dw385,

So are you saying this example Regex in your inputs.conf working or not working? to what you are trying to achieve? Can you clarify your question?

0 Karma
Reply

dw385
Explorer
‎08-04-2017 05:22 AM

I'm trying to ignore all events with the ID 4662 unless they are from the object type "groupPolicyContainer" or "dnsNode".

Example message field from an event:
An operation was performed on an object.

Subject :
    Security ID:        domain\user
    Account Name:       user
    Account Domain:     domain
    Logon ID:       0x57634DF

Object:
    Object Server:      DS
    Object Type:        groupPolicyContainer
    Object Name:        CN=Configuration,DC=domain,DC=domain
    Handle ID:      0x0

Operation:
    Operation Type:     Object Access
    Accesses:       Control Access

    Access Mask:        0x100
    Properties:     Control Access
        Replicating Directory Changes
    configuration


Additional Information:
    Parameter 1:        -
    Parameter 2:

The out of the box config for the Windows TA contains this blacklist entry:

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"

I'm just trying to also include dnsNode with groupPolicyContainer to index those two types of events but ignore everything else.

I thought it would just be an OR as I listed above but that config does not work. 

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!(groupPolicyContainer)|(dnsNode))"

This actually causes every 4662 event to be indexed, regardless of object type.

My first attempt was

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer|dnsNode)"

which causes all 4663 events to be indexed.

Removing the negation the regex appears to work to match on an event. I suspect there's something about the ?! I haven't figured out yet.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...