Inputs.conf Blacklist - Different Messages on the ...

icewolf69 · ‎01-12-2022

Hi All,

I'm tweaking my inputs.conf file to exclude some events for the Windows Security log.

I'm filtering EventCode 4688, by message. For compatibility reasons, I want to use the same inputs.conf file for all windows machines. But Windows 11 has tweaked a couple event logs, and one of those is 4688.

For Windows 10 and below the following blacklist is working as expected:

blacklist1 = EventCode="4688" Message="Token Elevation Type:(?!\s*%%1937)"

This filters everything except %%1937.

But this won't work for Windows 11, because they have changed the Token Elevation Type to "TokenElevationTypeFull" for the previously "%%1937". Therefore if a windows10 inputs.conf file ends up on a windows 11, it blacklists all the 4688 logs.

So simply, I would like to add the 2 lines together on a single line, so that if either TokenElevationType is found, it goes through. But the "|" operator doesn't seem to be working, or I'm not doing the correct syntax.

blacklist1 = EventCode="4688" Message="Token Elevation Type:(?!\s*%%1937)"
blacklist1 = EventCode="4688" Message="Token Elevation Type:(?!\s*TokenElevationTypeFull)"

Can anyone help marry these 2 checks with an OR operator?

Thank you

icewolf69 · ‎01-12-2022

I think i've figured it out, just went a different direction with deny/allow syntax. I'm not sure if this is more CPU intensive than the first method since it would be checking 4 conditions instead of 2...

blacklist1 = EventCode="4688" Message="%%1936|%%1938|TokenElevationTypeDefault|TokenElevationTypeLimited"

Inputs.conf Blacklist - Different Messages on the same line

field extraction

regex

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?