Getting Data In

WinEventLog whitelisting by SourceName not working

jrlane
Engager

I'm trying to whitelist a few event logs by eventcode as well as whitelist all events with the SourceName "AD FS Auditing". My config is as follows.

[WinEventLog://Security]
whitelist= 4624, 4625
whitelist1= SourceName="AD FS Auditing"
index=windows_evt

With this config any events i put in the first whitelist line work perfectly, but the second line is not functional. As a test if I add an event code that will have a SourceName of "AD FS Auditing" (say EventCode=500) they come in just fine. I have tried various combinations of things for source name such as "^AD FS Auditing$" and ".*AD FS Auditing.*" with no success.

Labels (2)
0 Karma
1 Solution

spayneort
Contributor

You are using both whitelist formats in the same stanza. That does not work, according to http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata.

You can specify one of two formats:

One or more Event Log event codes or event IDs (Event Code/ID format.)

One or more sets of keys and regular expressions (Advanced filtering format.)
You cannot mix formats in a single entry. You also cannot mix formats in the same stanza.

Try this instead:

 [WinEventLog://Security]
 whitelist= EventCode="4624|4625"
 whitelist1= SourceName="AD FS Auditing"
 index=windows_evt

View solution in original post

sonny_monti
Path Finder

Whitelisting for Wineventlog is a little bit tricky.

First of all you can whitelist only with these fields:
Category, CategoryString, ComputerName, EventCode, EventType, Keywords,
LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName,
TaskCategory, Type, User

Then the logic behind differen whitelist rules is like this:

whitelist OR whitelist1 OR whitelist2 OR .... OR whitelistN

where each whitelist rule logic is like this

rule1 AND rule2 AND ... AND ruleN

Here a concrete example:

whitelist = EventCode="4624|4625"
whitelist1 = SourceName="AD FS Auditing"
whitelist2 = Keywords="Audit Success" User="Bob Marley"

This translates to:

EventCode="4624|4625" OR SourceName="AD FS Auditing" OR (Keywords="Audit Success" AND User="Bob Marley")

0 Karma

spayneort
Contributor

You are using both whitelist formats in the same stanza. That does not work, according to http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata.

You can specify one of two formats:

One or more Event Log event codes or event IDs (Event Code/ID format.)

One or more sets of keys and regular expressions (Advanced filtering format.)
You cannot mix formats in a single entry. You also cannot mix formats in the same stanza.

Try this instead:

 [WinEventLog://Security]
 whitelist= EventCode="4624|4625"
 whitelist1= SourceName="AD FS Auditing"
 index=windows_evt

gcusello
Legend

Hi jrlane,
probably there's an error in your regex: e.g. before brachets and equal you have to insert a backslash ().

Try your regex in https://regex101.com/ or in Splunk before insert it in whitelist.

Bye.
Giuseppe

0 Karma

gcusello
Legend

Hi jrlane,
probably there's an error in your regex: e.g. before brachets and equal you have to insert a backslash ().

Try your regex in https://regex101.com/ or in Splunk before insert it in whitelist.

Bye.
Giuseppe

0 Karma

jrlane
Engager

I don't see how regex could be the problem. Running this query "index="myindex" SourceName="AD FS Auditing" EventCode=500 I get the the results I need, there should be no regex required on SourceName, it's an exact string.

0 Karma

gcusello
Legend

hi jrlane,
from http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

whitelist = **<regular expression>**
* If set, files from this input are monitored only if their path matches the specified regex.
* Takes precedence over the deprecated _whitelist setting, which functions the same way.

in white list you have to insert a regex not a string or a field as the one you used in your example index="myindex" SourceName="AD FS Auditing" EventCode=500
So if you use a rex command in your search instead of string you can see that your regex is wrong (backslashes before brachets and equal).
try using whitelist1= SourceName\=\"AD FS Auditing\" in your inputs.conf.

You can verify this regex in this way:
using the regex of your whitelist, you don't have events

index="myindex" EventCode=500
| rex "SourceName="AD FS Auditing""

instead if you use the correct regex, you'll find events

index="myindex" EventCode=500
| rex "SourceName\=\"AD FS Auditing\""

Try it.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...