I'm trying to do some windows event blacklisting due to a high volume on a particular server. However, I'm having troubles producing a search to match the events without the search spanning across multiple lines.
So we are dealing with windows events. index=wineventlog source=wineventlog:security EventCode=4624.
I have an extracted field (from windows infrastructure app) called member_id. This contains two values which seem to be separated by a new line as they are vertically stacked and looks like when listed in stats or tables:
NULL SID
NT AUTHORITY\SYSTEM
This below search will match the events I'm after correctly:
index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID
NT AUTHORITY\\SYSTEM"
However this does not work:
index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID\nNT AUTHORITY\\SYSTEM"
and neither does this:
index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID\r\nNT AUTHORITY\\SYSTEM"
or
index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID\n\rNT AUTHORITY\\SYSTEM"
In my inputs.conf file I have tried the following and it is not working. I suspect because the blacklist is not expecting to span multiple lines and doesn't know where to start and end.
inputs.conf (for the universal forwarder on the windows endpoint)
[WinEventLog://Security]
disabled = 0
blacklist = index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID
NT AUTHORITY\\SYSTEM"
blacklist1 = index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID
<Redacted>\\<Redacted>$"
My Google fu has failed me and I don't seem to be able to find out how to do this. I hope some Splunk Guru will be able to help me solve this.
Thanks in advance,
Sean
There is proper doc for blacklist and whitelist syntax. The below blacklist will not work the way splunk search works. you need to replace blacklist as examples given in below doc:
blacklist1 = index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID
<Redacted>\\<Redacted>$"
Below are the examples to give an idea how blacklist works in UF inputs.conf for windows events:
#to blocklist EventCode=4663 completely
blacklist1 = EventCode=%^4663$%
#to blocklist specified process(tomcat9.exe) captured under Message from event code 4663
#blacklist2 = EventCode = "4663" Message = "Process Name:\s+D:\\app\\application\\Tomcat\\bin\\Tomcat9.exe"
Like EventCode and Message in above examples, Splunk accepts only keys mentioned in above given doc.
Thank you thambisetty for your quick response, however I am only using key=value pairs in there, unless you can point out where I'm not? It's just one of the values for the key member_id has a newline char (or something) and I'm not able to match that in a single line with a \n or \r\n.
Regards,
Sean
please provide sample _raw event to give you exact solution
Sorry only SOME key=value pairs are allowed. I'll look into that further, thanks.