cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Derksr
Explorer
Member since: ‎08-15-2011
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 2
Member Since ‎08-15-2011
Activity Feed
View All

Re: Unable to blacklist Windows events with regex ...

by in Splunk Search
‎11-06-2015 12:12 PM
1 Karma
‎11-06-2015 12:12 PM
1 Karma
Yes mine worked great. I've checked your regex with https://www.regex101.com/#python (did you?) The following works for me: Message="Account\sName:.*[\S\s]*Logon\sType:\s+[3][\S\s]*Account\sName:\s+[\S+]+[\$]" So 1 message directive. Looks like the following is what you want: (watch out for capitals EventCode != Eventcode ) blacklist3 = EventCode="4624" Message="Account\sName:.*[\S\s]*Logon\sType:\s+[3][\S\s]*Account\sName:\s+[\S+]+[\$]" ... View more

Re: Unable to blacklist Windows events with regex ...

by in Splunk Search
‎08-30-2015 02:08 PM
‎08-30-2015 02:08 PM
Thanks for your fast response. You pointed me in the right direction. I tested my regex against the consolidated message field, not the original Windows Eventlog Message. The original Eventlog Message contains tabs and newline chars. An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: SYSTEM Account Name: DC01$ Account Domain: AAA-BBB .... Solved it with the following regex blacklist entry: blacklist3 = EventCode="4624" Message="Account\sName:.*[\S\s]*Account\sName:\s+[\S+]+[\$]" ... View more

Unable to blacklist Windows events with regex on u...

by in Splunk Search
‎08-30-2015 03:00 AM
1 Karma
‎08-30-2015 03:00 AM
1 Karma
Hi All, We have an remote DC, to save bandwidth and Splunk license we like to filter out computer account logon messages. Using Splunk UFW 6.2.4 EventCode=4624 Example eventlog message: An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: DC01$ Account Domain: AAA-BBB Logon ID: 0x2d71a99b Logon GUID: ....... Account Name is listed twice, if the second Account Name directive is an computer account (ending with a $) the event should be blacklisted and not forwarded to the indexer. I added the following to the inputs.conf in de deployment-apps/Splunk_TA_windows/local: blacklist3 = EventCode="4624" Message="Account\sName:\s.*Account\sName:\s(\S+\$)" Why is this not working? Tested the regex on https://regex101.com/ and it looks fine? Blacklisting just EventCode="4624" is working fine but that’s not what we want. Also tried the following, all not working while regex101 shows the regex is ok. blacklist3 = EventCode="4624" Message="(?:.*?Account Name:){2}\s(\S+)\$" blacklist3 = EventCode="4624" Message="Account Name:\s(\S+).+Account Name:\s(\S+)\$" blacklist3 = EventCode="4624" Message="Account\sName:.*Account\sName:\s[\S+]+[\$]" Thanks in advance, ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All