Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About bwaldren
bwaldren
Explorer
Member since:
11-29-2018
06-05-2020
Community Statistics
| Posts | 8 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 11-29-2018 |
Activity Feed
- Got Karma for Why can't I blacklist Windows Security EventCode 5152 in inputs.conf?. 06-05-2020 12:50 AM
- Posted Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf? on Getting Data In. 12-10-2018 11:49 AM
- Posted Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf? on Getting Data In. 12-10-2018 11:47 AM
- Posted Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf? on Getting Data In. 12-10-2018 10:09 AM
- Posted Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf? on Getting Data In. 12-06-2018 01:07 PM
- Posted Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf? on Getting Data In. 12-04-2018 01:26 PM
- Posted Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf? on Getting Data In. 12-04-2018 01:15 PM
- Posted Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf? on Getting Data In. 11-30-2018 12:11 PM
- Posted Why can't I blacklist Windows Security EventCode 5152 in inputs.conf? on Getting Data In. 11-29-2018 12:07 PM
- Tagged Why can't I blacklist Windows Security EventCode 5152 in inputs.conf? on Getting Data In. 11-29-2018 12:07 PM
- Tagged Why can't I blacklist Windows Security EventCode 5152 in inputs.conf? on Getting Data In. 11-29-2018 12:07 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 |
12-10-2018
11:49 AM
Also, as a test, I removed the blacklisting event and I got this event from multiple servers.
... View more
12-10-2018
11:47 AM
Before I respond to you questions, I think I have uncovered something.
The blacklisting 'seems' to be working, but not on the events occurring on the host server. Initially, I was just looking at events, but then I realized the events were only coming from one server and that was the host.
Is there something Splunk related I need to do from the host server to keep from this event getting into the index?
... View more
12-10-2018
10:09 AM
I tried as you suggested and it did not work. I then tried with spaces between the commas and with quotes around each number and it did not work. I restarted Splunkd service each time.
... View more
12-06-2018
01:07 PM
I created these two files like you requested. I added a |5152 in the transforms.conf file. I placed them in the Splunk\etc folder.
What you mean by setting up a new app with a local directory?
I restarted splunkd and it still was not working.
... View more
12-04-2018
01:26 PM
What is the location of the props.conf and transform.conf files I am to modify? c:\program file\splunk...
My host server is generating 100k of these events every day so I would like to start on this server.
... View more
12-04-2018
01:15 PM
Moving it to the top was unsuccessful. I tried restarting the service and still did not work.
... View more
11-30-2018
12:11 PM
Which props.conf file do I modify? There are several on the host machine.
... View more
11-29-2018
12:07 PM
1 Karma
Hello,
I am trying to blacklist EventCode 5152 in inputs.conf. I have tried putting it in a different order in the list below (blacklist, blacklist3, blacklist5), and that didn't work. I have tried with the current message setting as well as typing out the message and that did not help. The other events listed are currently being blocked correctly. My current version of Splunk is 7.0.0. Any help would be appreciated.
From the inputs.conf file:
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = wineventlog
blacklist = EventCode="5152" Message="*"
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4932" Message="*"
blacklist4 = EventCode="4933" Message="*"
From Splunk search
11/29/2018 01:44:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5152
EventType=0
Type=Information
ComputerName=XXX.northgrum.com
TaskCategory=Filtering Platform Packet Drop
OpCode=Info
RecordNumber=36423970
Keywords=Audit Failure
Message=The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID: 0
Application Name: -
Network Information:
Direction: Inbound
Source Address: XXX
Source Port: 8080
Destination Address: XXX
Destination Port: 64430
Protocol: 6
Filter Information:
Filter Run-Time ID: 70679
Layer Name: Transport
Layer Run-Time ID: 13
EventCode = 5152
host = XXX
source = WinEventLog:Security
sourcetype = WinEventLog:Security
... View more
