Hello all, I am trying to blacklist this app that is generating a ton of Windows Event logs; till I find what app it is and uninstall it. This is for HP's DesktopExtension.exe. The weird thing is that it is only running on about 30 devices. Here is the current section in inputs.conf : [WinEventLog://Security] disabled = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist3 = EventCode=4673 ProcessName="*\\DesktopExtension.exe*" renderXml=false index=oswinsec However even after restarting the splunk forwarder the events still appear. I verified one of the hosts has the correct inputs.conf. I have also tried blacklist3 = EventCode=4673 ProcessName="C:\Program Files\WindowsApps\AD2F1837.myHP_28.52349.1300.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe"" Here is an example of the log/event: LogName=Security EventCode=4673 EventType=0 ComputerName=********* SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=10115718 Keywords=Audit Failure TaskCategory=Sensitive Privilege Use OpCode=Info Message=A privileged service was called. Subject: Security ID: ***************** Account Name: **************** Account Domain: *********** Logon ID: **************** Service: Server: Security Service Name: - Process: Process ID: 0x6604 Process Name: C:\Program Files\WindowsApps\AD2F1837.myHP_28.52349.1300.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe Service Request Information: Any tips?
... View more