Training + Certification Discussions

whitelist windows event logs

splunkbeef
New Member

The whitelist is not working for windows event logs. Is there something I'm doing wrong?
I'm trying to exclude event 4625 from blacklist1 because it is logged as information.

[WinEventLog://Security]
disabled=0
whitelist = EventCode="4625"
blacklist1 = Type = "(Information)"
blacklist2 = Type = "(Security Audit Success)"
blacklist3 = EventCode="36888"

Tags (1)
0 Karma

ssadh_splunk
Splunk Employee
Splunk Employee

If you are trying to exclude the event 4625, then you should not use whitelist.
Whitelist will include the following pattern.

Comments from documentation - https://docs.splunk.com/Documentation/Splunk/7.2.5/Admin/Inputsconf#Event_Log_whitelist_and_blacklis...
" * Example:
whitelist = EventCode=%^200$% User=%jrodman%
Include events only if they have EventCode 200 and relate to User jrodman
"
Just try to use Blacklist if you want to drop EventCode 4625.
Maybe try
blacklist1 = EventCode="4625"
or
blacklist1 = EventCode="4625" Type = "(Information)"

0 Karma

splunkbeef
New Member

I looked at this documentation and others. Ran various btool options, I have no errors reported with btool check, and regex-validate. The debug output seems pretty clean also.

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...