Hi everyone,
On my Universal Forwarder, I'm able to effectively blacklist Windows event codes when I do it based on the EventCode field. However, when I try to add regex to my blacklist entries it doesn't work.
Essentially, I want to reduce the number of EventCode=4688 entries where the "New Process Name" field is coming from the Splunk client. So let's say, I want to blacklist events where the EventCode=4688 and the New Process Name contains "splunk-winprintmon.exe".
Here's the contents of the actual event:
01/07/2016 12:38:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=BBLAPTOP.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=8541755
Keywords=Audit Success
Message=A new process has been created.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: BBLAPTOP$
Account Domain: LOCAL
Logon ID: 0x3e7
Process Information:
New Process ID: 0x6c18
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Creator Process ID: 0x2108
Process Command Line:
I've been able to get "matching" regexes created when I try it out on a website like regexpal.com. The regex below matches the event text just fine on their site, but does not work with the Splunk forwarder:
(?msi)^EventCode=(4688).*^.*New Process Name:\s+.*(splunk-winprintmon\.exe).*
My inputs.conf contains:
blacklist3 = (?msi)^EventCode=(4688).*^.*New Process Name:\s+.*(splunk-winprintmon\.exe).*
I've also tried it without the leading (?msi)^ and was not successful. I really need to reduce my licensing volume as I'm frequently in violation, so if anyone has any ideas or solutions I would greatly appreciate it!
All:
Thanks again for all of the research and suggestions. I was able to get this resolved late yesterday - I posted my solution to this page but for whatever reason it isn't showing up so I'll try it again. Through a combination of reading (and re-reading, and staring, and re-reading) the inputs.conf.spec and flat out trying everything, this was the working solution:
blacklist1 = EventCode="4688" Message="(A new process has been created)(?s).*(splunk-winprintmon)"
blacklist2 = EventCode="4688" Message="(A new process has been created)(?s).*(splunk-regmon)"
My next step is to consolidate these two lines into one, and include the other Splunk UF events I don't currently need (splunk-netmon, splunk-admon). The UF is limited to 10 blacklist items, so I'm thinking there is a way via regex to look for "splunk-*mon.exe". If anyone has a quick fix for that, I'd be glad to hear it.
I appreciate everyone's suggestions and ideas, it was a big help in getting this implemented!
Ok, that looks good...except that I doubt the RegEx in blacklist1 and blacklist2 will match anything
It looks like your blacklist3 suggestion might have gotten messed up, as it's missing some asterisks that I had. Unless you purposely left them out...so should blacklist3 actually look like this:
blacklist3 = (?msi)EventCode=(4688).*^.*New Process Name:\s+.*(splunk-winprintmon\.exe)
This would omit the first carat, as well as the "trailing" .* . I also put the backslash between splunk-winprintmon and the .exe .
Yes, you're right. Somehow the formatting got messed up. The line should look like the one you've posted.
blacklist3 = (?msi)EventCode=(4688).^.*New Process Name:\s+.(splunk-winprintmon.exe)
No luck this time. I did comment out the entries you said probably aren't working, and bumped this up to #1. So my inputs.conf contains this line:
blacklist1 = (?msi)EventCode=(4688).*^.*New Process Name:\s+.*(splunk-winprintmon.exe)
See my comments below under Lisa's answer. I made a mistake above and we actually need to work with a specific set of Keys here, not just the raw event.
If you are having trouble with this on the forwarder, why not do this on the indexer instead? The indexer is capable of handling more advanced criteria - and it will not affect your license. The following example will eliminate the events before they are indexed:
props.conf
[sourcetypeNameofEventLog]
TRANSFORMS-eliminate = remove_winprintmon
transforms.conf
[remove_winprintmon]
SOURCE=_raw
REGEX= (?msi)^EventCode=(4688).*^.*New Process Name:\s+.*(splunk-winprintmon\.exe)
DEST=queue
FORMAT=nullQueue
This will pull matching events from the index queue and trash them. Note that the transform will only run against the inbound data that matches the sourcetype. BTW, regexes in transforms.conf are unanchored by default, so you don't need the .*
at the end...
Thanks. I am actually doing this at the indexer currently (for EventCode 4688 where my 3rd party inventory agent is being chatty). My license usage dropped significantly (by half), however, I started seeing some indexing latency. I was trying to eliminate this as a potential cause by pushing it out to the clients. Not sure if it really would cause the latency but figured it was worth investigating.
Thank you for the tip regarding the .* at the end, I'll go in and remove that. There's one more thing I learned about regex today !
To investigate the latency, you might turn on the Distributed Management Console on your indexer (if you haven't already) and look at the indexing dashboards, particular the queues...
For more information, go to http://conf.splunk.com/speakers.html# and search the page for the topic "How splunkd Works"
It's a great presentation, if you haven't seen it before. There is both a recording and a slide download link.