Hi, As I was wondering can we blacklist the processname like "-" in the inputs.conf of DS ?? to save the splunk license .
Sample Event:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</EventID><Version>3</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-10-17T16:07:15.4402877Z'/><EventRecordID>455140</EventRecordID><Correlation ActivityID='{b2071651-382e-4101-85e8-28f5e9b1b5d5}'/><Execution ProcessID='1112' ThreadID='3816'/><Channel>Security</Channel><Computer>xyz.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='TargetUserName'>xxx$</Data><Data Name='TargetDomainName'>xyx.COM</Data><Data Name='TargetLogonId'>0xb126027</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>Kerberos</Data><Data Name='AuthenticationPackageName'>Kerberos</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{c425351a-8525-d2f0-f686-1a0aff9db449}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>127.0.0.1</Data><Data Name='IpPort'>0</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='RemoteCredentialGuard'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>
Thanks
This would be done on a heavy forwarder or the indexer(s), whichever the events hit first. The below link has information for how to do this. You can do it with SEDCMD in a props.conf. The code below is an excerpt from that page that shows specifically how you would do this. In this case this <Data Name='IpPort'>0</Data> is being turned into this <Data Name='IpPort'></Data>.
#For XmlWinEventLog:Security
SEDCMD-cleanxmlsrcport = s/<Data Name='IpPort'>0<\/Data>/<Data Name='IpPort'><\/Data>/
https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Configuration