Im looking to drop EventID 4673 where the action=failure Here is an example log 3/15/2023 02:51:42 PM LogName=Security EventCode=4673 EventType=0 ComputerName=redacted SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=redacted Keywords=Audit Failure TaskCategory=Sensitive Privilege Use OpCode=Info Message=A privileged service was called. Subject: Security ID: redacted Account Name: redacted Account Domain: redacted Logon ID: redacted Service: Server: Security Service Name: Process: Process ID: xxxxx Process Name: C:\Windows\System32\backgroundTaskHost.exe Service Request Information: Privileges: SeTcbPrivilege From reading https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Inputsconf?_ga=2.40401506.1999669205.1678852413-817152181.1624861549&_gl=1*s1kmhp*_ga*ODE3MTUyMTgxLjE2MjQ4NjE1NDk.*_ga_5EPM2P39FV*MTY3ODg2MDY5OS44Ni4xLjE2Nzg4NjA3NjAuNjAuMC4w#Event_Log_allow_list_and_deny_list_formats I can see that action is not a valid field to filter on? # Valid keys for the key=regex format:
* The following keys are equivalent to the fields that appear in the text of
the acquired events:
* Category, CategoryString, ComputerName, EventCode, EventType, Keywords,
LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName,
TaskCategory, Type, User So i chose to use Keywords which has the value Audit Failure Here is my inputs.conf --------------------- [WinEventLog://Security] disabled = 0 index=corp_oswinsec current_only=1 evt_resolve_ad_obj=0 checkpointInterval = 5 blacklist1 = EventCode="4673" Keywords="Audit Failure" -------------------------------- I am still seeing these events being indexed however - any tips on where i am going wrong would be much appreciated!
... View more