- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Universal Forwarder blacklist - Can anyone hel...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
On my Universal Forwarder, I'm able to effectively blacklist Windows event codes when I do it based on the EventCode field. However, when I try to add regex to my blacklist entries it doesn't work.
Essentially, I want to reduce the number of EventCode=4688 entries where the "New Process Name" field is coming from the Splunk client. So let's say, I want to blacklist events where the EventCode=4688 and the New Process Name contains "splunk-winprintmon.exe".
Here's the contents of the actual event:
01/07/2016 12:38:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=BBLAPTOP.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=8541755
Keywords=Audit Success
Message=A new process has been created.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: BBLAPTOP$
Account Domain: LOCAL
Logon ID: 0x3e7
Process Information:
New Process ID: 0x6c18
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Creator Process ID: 0x2108
Process Command Line:
I've been able to get "matching" regexes created when I try it out on a website like regexpal.com. The regex below matches the event text just fine on their site, but does not work with the Splunk forwarder:
(?msi)^EventCode=(4688).*^.*New Process Name:\s+.*(splunk-winprintmon\.exe).*
My inputs.conf contains:
blacklist3 = (?msi)^EventCode=(4688).*^.*New Process Name:\s+.*(splunk-winprintmon\.exe).*
I've also tried it without the leading (?msi)^ and was not successful. I really need to reduce my licensing volume as I'm frequently in violation, so if anyone has any ideas or solutions I would greatly appreciate it!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All:
Thanks again for all of the research and suggestions. I was able to get this resolved late yesterday - I posted my solution to this page but for whatever reason it isn't showing up so I'll try it again. Through a combination of reading (and re-reading, and staring, and re-reading) the inputs.conf.spec and flat out trying everything, this was the working solution:
blacklist1 = EventCode="4688" Message="(A new process has been created)(?s).*(splunk-winprintmon)"
blacklist2 = EventCode="4688" Message="(A new process has been created)(?s).*(splunk-regmon)"
My next step is to consolidate these two lines into one, and include the other Splunk UF events I don't currently need (splunk-netmon, splunk-admon). The UF is limited to 10 blacklist items, so I'm thinking there is a way via regex to look for "splunk-*mon.exe". If anyone has a quick fix for that, I'd be glad to hear it.
I appreciate everyone's suggestions and ideas, it was a big help in getting this implemented!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, that looks good...except that I doubt the RegEx in blacklist1 and blacklist2 will match anything
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like your blacklist3 suggestion might have gotten messed up, as it's missing some asterisks that I had. Unless you purposely left them out...so should blacklist3 actually look like this:
blacklist3 = (?msi)EventCode=(4688).*^.*New Process Name:\s+.*(splunk-winprintmon\.exe)
This would omit the first carat, as well as the "trailing" .* . I also put the backslash between splunk-winprintmon and the .exe .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you're right. Somehow the formatting got messed up. The line should look like the one you've posted.
blacklist3 = (?msi)EventCode=(4688).^.*New Process Name:\s+.(splunk-winprintmon.exe)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No luck this time. I did comment out the entries you said probably aren't working, and bumped this up to #1. So my inputs.conf contains this line:
blacklist1 = (?msi)EventCode=(4688).*^.*New Process Name:\s+.*(splunk-winprintmon.exe)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See my comments below under Lisa's answer. I made a mistake above and we actually need to work with a specific set of Keys here, not just the raw event.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are having trouble with this on the forwarder, why not do this on the indexer instead? The indexer is capable of handling more advanced criteria - and it will not affect your license. The following example will eliminate the events before they are indexed:
props.conf
[sourcetypeNameofEventLog]
TRANSFORMS-eliminate = remove_winprintmon
transforms.conf
[remove_winprintmon]
SOURCE=_raw
REGEX= (?msi)^EventCode=(4688).*^.*New Process Name:\s+.*(splunk-winprintmon\.exe)
DEST=queue
FORMAT=nullQueue
This will pull matching events from the index queue and trash them. Note that the transform will only run against the inbound data that matches the sourcetype. BTW, regexes in transforms.conf are unanchored by default, so you don't need the .* at the end...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I am actually doing this at the indexer currently (for EventCode 4688 where my 3rd party inventory agent is being chatty). My license usage dropped significantly (by half), however, I started seeing some indexing latency. I was trying to eliminate this as a potential cause by pushing it out to the clients. Not sure if it really would cause the latency but figured it was worth investigating.
Thank you for the tip regarding the .* at the end, I'll go in and remove that. There's one more thing I learned about regex today !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To investigate the latency, you might turn on the Distributed Management Console on your indexer (if you haven't already) and look at the indexing dashboards, particular the queues...
For more information, go to http://conf.splunk.com/speakers.html# and search the page for the topic "How splunkd Works"
It's a great presentation, if you haven't seen it before. There is both a recording and a slide download link.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
