I want Splunk to ingest my AV log. I made the following entry in the inputs.conf file: Note: The log file is a text file with no formatting. [monitor://C:ProgramData\'Endpoint Security'\logs\OnDemandScan_Activity.log] disable=0 index=winlogs sourcetype=WinEventLog:AntiVirus start_from=0 current_only=0 checkpointInterval = 5 renderXml=false   My question is: Is the stanza written correctly? When I do a search I am not seeing anything. ... View more

I am exceeding my 5GB license. I have determine the problem by doing a 24 hour search using the following: index="winlogs" host=filesvr souce="WinEventLog:Security" EventCode=4663 Accesses="ReadData (or ListDirectory) Security_ID="NT AUTHORITY\SYSTEM" The above search returns 4.5 million plus records. My question is how do I stop Splunk from ingesting     Security_ID="NT AUTHORITY\SYSTEM" of EventCode 4663? Would appreciate any assistance\suggestions given. ... View more

I use Splunk to ingest events from the windows Security, Application and System event logs. We have a scanner that is very noisy and I would like for Splunk not ingest the events that the scanner creates.  I have tried without success to use SEDCMD on my indexer's Props.conf: SEDCMD-Remove_Scanner_IP_Address = s/\b12\.34\.567\.89\b//g SEDCMD-Remove_Scanner_Host_Name = s/Workstation_Name\s*=\s*scanner-name01\s*//g I have also tried to blacklist the IP on each of the host's Splunk UF inputs.conf file: blacklist = 12\.34\.567\.89 Would appreciate any assistance\suggestions given.   ... View more

I audit windows computers. My search looks for the date, time, EventCode and Account_Name:   Date                        Time            EventCode  Account_Name 2023/08/29       16:09:30     4624                   jsmith   I would like the Time field to turn red when a user signs in after hours (1800 - 0559). I have tried clicking on the pen in the time column and selecting Color than Ranges. I always get error messages about not putting the numbers in correct order. What do I need to do? ... View more

-- I want to see events of 4648. I want to filter out certain ones. Is my stanza configured correctly? \etc\system\local\inputs.conf [WinEventLog://Security] disabled = 0 whitelist = EventCode="4648" blacklist = EventCode="4648" Message="Account\sWhose\sCredential\sWere\sUsed:\sAccount\sName:\s+computer01$" blacklist = EventCode="4648" Message="Account\sWhose\sCredential\sWere\sUsed:\sAccount\sName:\s+Window Manger" blacklist = EventCode="4648" Message="Account\sWhose\sCredential\sWere\sUsed:\sAccount\sName:\s+Font Driver Host" -- Is there a Log that I can look at to troubleshoot my stanza? ... View more

I want to whitelist events when users put the password in the logon window during login. See example below, note the *****: An account failed to log on. Subject: Security ID: SYSTEM Account Name: Computer01 Account Domain: MyDomain Logon ID: 0x3E7 Logon Type: 7 Account For Which Logon Failed: Security ID: NULL SID Account Name: User Account Domain: MyDomain Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D ************** Sub Status: 0xC000006A Process Information: Caller Process ID: 0x8e0D Caller Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: Computer01 Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 My whitelist is as follows: whitelist = EventCode = "4625" Message = "Failure\sInformation\sStatus:\s+0xc000006d" Need assistance with coding the 0xc000006d Thank you! ... View more