Splunk Search

splunk tags.conf disable stanza

koshyk
Super Champion

We need to override a tags & eventtypes from one of the official TA (eg eventtype=ssh_authentication).

eventtypes.conf have disabled=true at a stanza level, but tags.conf does NOT have such ability as per spec.

Any chance to disable entire stanza of tags.conf?

What we are looking for is something like below in tags.conf

[eventtype=ssh_authentication]
disabled=true

PS: If we don't do this, there is a "WARN" while doing Splunk search in GUI saying "unable to find eventtype=xxxxx".

0 Karma

harsmarvania57
Ultra Champion

Hi,

If I understand your question correctly then you want to disable tags based on eventtypes & you are talking about below eventtypes.conf stanza

[sshd_authentication]
# osx sshd authentication error
# Jul 16 11:10:45 mycomputer sshd[34666]: error: PAM: authentication error for xxx from localhost via ::1
search = (NOT sourcetype=stash) NOT sourcetype=ossec sshd (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") from) OR "Authorized to" OR "Authentication tried" OR "Login restricted")
#tags = authentication remote

If this is the case then do not disable this stanza in eventtypes.conf but disable tags in tags.conf
So if you want to disable authentication tag then you can do below configuration in tags.conf

[eventtype=sshd_authentication]
authentication = disabled
remote = enabled
0 Karma

koshyk
Super Champion

but in as per your suggestion, the hard-work of eventtypes will be done by Splunk ?
So in above example, the [sshd_authentication] is done on EVERY single source-type and dataset, which is hugely inefficient & un-necessary step as we are not using the eventtype anymore.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...