Activity Feed
- Posted Text File Ingestion on Getting Data In. 07-17-2024 09:41 AM
- Posted Prevent ingestion of "NT AUTHORITY\SYSTEM" EventCode 4663 on Getting Data In. 07-17-2024 06:40 AM
- Posted Prevent events with a specfic IP or Workstation name from being ingested. on Getting Data In. 06-10-2024 02:31 PM
- Posted Re: Correct format for inputs.conf stanza on Splunk Enterprise. 03-27-2024 01:45 PM
- Posted Correct format for inputs.conf stanza on Splunk Enterprise. 03-27-2024 01:01 PM
- Posted Re: Time Field Coloring on Splunk Enterprise. 09-06-2023 02:24 PM
- Posted Time Field Coloring on Splunk Enterprise. 08-30-2023 03:28 PM
- Posted Re: Getting Data In: Session 1 - Wed 3/15/23 on Community Office Hours. 03-13-2023 08:26 AM
- Posted Blacklist format on Getting Data In. 01-24-2020 09:41 AM
- Tagged Blacklist format on Getting Data In. 01-24-2020 09:41 AM
- Tagged Blacklist format on Getting Data In. 01-24-2020 09:41 AM
- Tagged Blacklist format on Getting Data In. 01-24-2020 09:41 AM
- Posted Re: Whitelist/Blacklist Event ID using Forwarder Management on Getting Data In. 01-24-2020 09:35 AM
- Posted Re: Whitelist bad logon on Getting Data In. 01-24-2020 09:04 AM
- Posted Whitelist bad logon on Getting Data In. 01-20-2020 03:46 PM
- Tagged Whitelist bad logon on Getting Data In. 01-20-2020 03:46 PM
- Tagged Whitelist bad logon on Getting Data In. 01-20-2020 03:46 PM
- Tagged Whitelist bad logon on Getting Data In. 01-20-2020 03:46 PM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 |
07-17-2024
09:41 AM
I want Splunk to ingest my AV log. I made the following entry in the inputs.conf file: Note: The log file is a text file with no formatting.
[monitor://C:ProgramData\'Endpoint Security'\logs\OnDemandScan_Activity.log]
disable=0
index=winlogs
sourcetype=WinEventLog:AntiVirus
start_from=0
current_only=0
checkpointInterval = 5
renderXml=false
My question is:
Is the stanza written correctly?
When I do a search I am not seeing anything.
... View more
Labels
- Labels:
-
inputs.conf
-
monitor
-
universal forwarder
07-17-2024
06:40 AM
I am exceeding my 5GB license. I have determine the problem by doing a 24 hour search using the following:
index="winlogs" host=filesvr souce="WinEventLog:Security" EventCode=4663 Accesses="ReadData (or ListDirectory) Security_ID="NT AUTHORITY\SYSTEM"
The above search returns 4.5 million plus records.
My question is how do I stop Splunk from ingesting Security_ID="NT AUTHORITY\SYSTEM" of EventCode 4663?
Would appreciate any assistance\suggestions given.
... View more
Labels
- Labels:
-
inputs.conf
-
universal forwarder
-
Windows
06-10-2024
02:31 PM
I use Splunk to ingest events from the windows Security, Application and System event logs. We have a scanner that is very noisy and I would like for Splunk not ingest the events that the scanner creates.
I have tried without success to use SEDCMD on my indexer's Props.conf:
SEDCMD-Remove_Scanner_IP_Address = s/\b12\.34\.567\.89\b//g
SEDCMD-Remove_Scanner_Host_Name = s/Workstation_Name\s*=\s*scanner-name01\s*//g
I have also tried to blacklist the IP on each of the host's Splunk UF inputs.conf file:
blacklist = 12\.34\.567\.89
Would appreciate any assistance\suggestions given.
... View more
Labels
- Labels:
-
inputs.conf
-
props.conf
-
universal forwarder
03-27-2024
01:01 PM
I want to add C:\windows\system32\winevt\logs\Microsoft-Windows-DriverFrameworks-UserMode/Operational as a stanza in my inputs.conf. How do I write the stanza? Thank you
... View more
Labels
- Labels:
-
configuration
09-06-2023
02:24 PM
bowesmana' Thank you for your response. I am new to Splunk. I do not understand all the code you provided. My next question is how do I incorporate the actual search using your code. Here is the search: index="winlogs" host=* source="WinEventLog:Security" Eventcode=4624 Logon_Type=2 OR Logon_Type=7 NOT dest_nt_domain="Window Manager" NOT dest_nt_domain="Font Driver Host" | sort_time | convert ctime(_time) as timestamp | table, timestamp,EventCode,Logon_Type,Account_Name,RecordNumber,status
... View more
08-30-2023
03:28 PM
I audit windows computers. My search looks for the date, time, EventCode and Account_Name: Date Time EventCode Account_Name 2023/08/29 16:09:30 4624 jsmith I would like the Time field to turn red when a user signs in after hours (1800 - 0559). I have tried clicking on the pen in the time column and selecting Color than Ranges. I always get error messages about not putting the numbers in correct order. What do I need to do?
... View more
Labels
- Labels:
-
configuration
03-13-2023
08:26 AM
I am looking for ways to Whitelist and Blacklist specific Windows event IDs for auditing purposes. Target logs are the Security, Application and System logs.
... View more
01-24-2020
09:41 AM
-- I want to see events of 4648. I want to filter out certain ones. Is my stanza configured correctly?
\etc\system\local\inputs.conf
[WinEventLog://Security]
disabled = 0
whitelist = EventCode="4648"
blacklist = EventCode="4648" Message="Account\sWhose\sCredential\sWere\sUsed:\sAccount\sName:\s+computer01$"
blacklist = EventCode="4648" Message="Account\sWhose\sCredential\sWere\sUsed:\sAccount\sName:\s+Window Manger"
blacklist = EventCode="4648" Message="Account\sWhose\sCredential\sWere\sUsed:\sAccount\sName:\s+Font Driver Host"
-- Is there a Log that I can look at to troubleshoot my stanza?
... View more
01-24-2020
09:35 AM
I have configured my \etc\system\local\inputs.conf as follows:
[WinEventLog://Security]
disabled = 0
whitelist = EventCode="4625"
The above whitelist only forwards event ID 4625 log events to my collector. I did not have to blacklist any other event IDs.
... View more
01-24-2020
09:04 AM
Giuseppe,
Thank you for your suggestion.
I am trying to create a whitelist in the etc\system\local\inputs.conf file.
Still not having any success.
... View more
01-20-2020
03:46 PM
I want to whitelist events when users put the password in the logon window during login.
See example below, note the *****:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: Computer01
Account Domain: MyDomain
Logon ID: 0x3E7
Logon Type: 7
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: User
Account Domain: MyDomain
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D **************
Sub Status: 0xC000006A
Process Information:
Caller Process ID: 0x8e0D
Caller Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: Computer01
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
My whitelist is as follows:
whitelist = EventCode = "4625" Message = "Failure\sInformation\sStatus:\s+0xc000006d"
Need assistance with coding the 0xc000006d
Thank you!
... View more