Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk_TA_Windows event blacklist not working

vsskishore
Explorer
‎11-16-2018 08:32 PM

I have below configuration in Splunk_TA_Windows inputs.conf to blacklist the NT AUTHORITY\SYSTEM events in 4663 code.
But my blacklist3 is not working as expected, still I get the events indexed.
Can some one help me in resolving the issue ?

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4663" Message="Security ID:(\w[NT]\s\w+.\w+)
renderXml=false
index = winlogs

Tags (1)
Reply

FrankVl
Ultra Champion
‎11-19-2018 02:32 AM

Have you checked whether that regex is correct? Security ID:(\w[NT]\s\w+.\w+) doesn't seem entirely accurate to match Security ID: NT AUTHORITY\SYSTEM. Perhaps simply try Message=Security ID:\s*NT\sAUTHORITY\\SYSTEM or something along those lines?

0 Karma
Reply

vsskishore
Explorer
‎11-19-2018 10:35 AM

Hey FrankVI,
I've tried the given suggestion but no luck.

0 Karma
Reply

vsskishore
Explorer
‎11-16-2018 08:35 PM

blacklist3 = EventCode="4663" Message="Security ID:(\w[NT]\s\w+.\w+)"
this is not working.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...