Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk_TA_Windows event blacklist not working

vsskishore
Explorer
‎11-16-2018 08:32 PM

I have below configuration in Splunk_TA_Windows inputs.conf to blacklist the NT AUTHORITY\SYSTEM events in 4663 code.
But my blacklist3 is not working as expected, still I get the events indexed.
Can some one help me in resolving the issue ?

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4663" Message="Security ID:(\w[NT]\s\w+.\w+)
renderXml=false
index = winlogs

Tags (1)
Reply

FrankVl
Ultra Champion
‎11-19-2018 02:32 AM

Have you checked whether that regex is correct? Security ID:(\w[NT]\s\w+.\w+) doesn't seem entirely accurate to match Security ID: NT AUTHORITY\SYSTEM. Perhaps simply try Message=Security ID:\s*NT\sAUTHORITY\\SYSTEM or something along those lines?

0 Karma
Reply

vsskishore
Explorer
‎11-19-2018 10:35 AM

Hey FrankVI,
I've tried the given suggestion but no luck.

0 Karma
Reply

vsskishore
Explorer
‎11-16-2018 08:35 PM

blacklist3 = EventCode="4663" Message="Security ID:(\w[NT]\s\w+.\w+)"
this is not working.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...