I have below configuration in Splunk_TA_Windows inputs.conf to blacklist the NT AUTHORITY\SYSTEM events in 4663 code.
But my blacklist3 is not working as expected, still I get the events indexed.
Can some one help me in resolving the issue ?
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4663" Message="Security ID:(\w[NT]\s\w+.\w+)
index = winlogs
Have you checked whether that regex is correct?
Security ID:(\w[NT]\s\w+.\w+) doesn't seem entirely accurate to match
Security ID: NT AUTHORITY\SYSTEM. Perhaps simply try
Message=Security ID:\s*NT\sAUTHORITY\\SYSTEM or something along those lines?