Splunk Search

Regex challenge: How can I blacklist all 4662 events unless they are related to group policy or DNS?

Explorer

I'm struggling to find the proper regex to adjust the blacklist for 4662 events.
I want to blacklist all 4662 events unless they are related to group policy or DNS.

I've tried a number of combinations. My latest running example is:

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!(groupPolicyContainer|dnsNode))"

Using this I get back no 4662 events.
So far while trying to research and understand RegEx I haven't figured out how to make this work.

Splunk Employee
Splunk Employee

Give this a try:

blacklist1 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|dnsNode))"

Communicator

dw385,

So are you saying this example Regex in your inputs.conf working or not working? to what you are trying to achieve? Can you clarify your question?

0 Karma

Explorer

I'm trying to ignore all events with the ID 4662 unless they are from the object type "groupPolicyContainer" or "dnsNode".

Example message field from an event:
An operation was performed on an object.

Subject :
    Security ID:        domain\user
    Account Name:       user
    Account Domain:     domain
    Logon ID:       0x57634DF

Object:
    Object Server:      DS
    Object Type:        groupPolicyContainer
    Object Name:        CN=Configuration,DC=domain,DC=domain
    Handle ID:      0x0

Operation:
    Operation Type:     Object Access
    Accesses:       Control Access

    Access Mask:        0x100
    Properties:     Control Access
        Replicating Directory Changes
    configuration


Additional Information:
    Parameter 1:        -
    Parameter 2:

The out of the box config for the Windows TA contains this blacklist entry:

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"

I'm just trying to also include dnsNode with groupPolicyContainer to index those two types of events but ignore everything else.

I thought it would just be an OR as I listed above but that config does not work.

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!(groupPolicyContainer)|(dnsNode))"

This actually causes every 4662 event to be indexed, regardless of object type.

My first attempt was

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer|dnsNode)"

which causes all 4663 events to be indexed.

Removing the negation the regex appears to work to match on an event. I suspect there's something about the ?! I haven't figured out yet.

0 Karma