Trying to blacklist Windows Events 4688 and 4689 that come from the Splunk Universal Forwarder, I've checked the regex and it looks right according to http://regexr.com/. I've looked through many of the different links and haven't seen anyone doing this specifically. Has anyone else had any luck with this?
Thanks in advance for your help.
My config file for the app looks like this:
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
index= wineventlog
blacklist = 5156,5158,4656
blacklist1 = EventCode="4689" Message="Process Name:.*SplunkUniversalForwarder"
Sample Event
08/25/2015 11:15:35 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=XXXXXXXX.com
TaskCategory=Process Creation
OpCode=Info
RecordNumber=60854906
Keywords=Audit Success
Message=A new process has been created.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: XXXXX$
Account Domain: XXXXX
Logon ID: 0x3e7
Process Information:
New Process ID: 0x808
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Creator Process ID: 0x12e8
Process Command Line:
... View more