I have below configuration in Splunk_TA_Windows inputs.conf to blacklist the NT AUTHORITY\SYSTEM events in 4663 code.
But my blacklist3 is not working as expected, still I get the events indexed.
Can some one help me in resolving the issue ?
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4663" Message="Security ID:(\w[NT]\s\w+.\w+)
renderXml=false
index = winlogs
Have you checked whether that regex is correct? Security ID:(\w[NT]\s\w+.\w+)
doesn't seem entirely accurate to match Security ID: NT AUTHORITY\SYSTEM
. Perhaps simply try Message=Security ID:\s*NT\sAUTHORITY\\SYSTEM
or something along those lines?
Hey FrankVI,
I've tried the given suggestion but no luck.
blacklist3 = EventCode="4663" Message="Security ID:(\w[NT]\s\w+.\w+)"
this is not working.