Solved: How to edit inputs.conf to blacklist an eventcode?

t_gayathirik · ‎05-24-2017

I have the following inputs.conf stanza:

[WinEventLog://Security]     
disabled=0     
current_only=1     
blacklist1=EventCode=4662 Message=”Object Type:s+(?!groupPolicyContainer)”

Still we are receiving all the eventcode. Could you please help what else changes has to be made?

Note: We are making the changes in the deployment server for the blacklist

Richfez · ‎05-26-2017

Pulled from my working blacklist of that precise same EventCode and scenario:

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"

Not sure if the differences are copy/paste issues or if they're broken in your stanza, but the above has worked for me. Note the \s+.

Richfez · ‎05-26-2017

Pulled from my working blacklist of that precise same EventCode and scenario:

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"

Not sure if the differences are copy/paste issues or if they're broken in your stanza, but the above has worked for me. Note the \s+.

adonio · ‎05-26-2017

what is the full path to file of the above inputs.conf?
are you leveraging the Splunk TA for Windows?

How to edit inputs.conf to blacklist an eventcode?