Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Inputs.conf Blacklist - Different Messages on the same line

icewolf69
Loves-to-Learn Everything
‎01-12-2022 09:20 AM

Hi All, 

 

I'm tweaking my inputs.conf file to exclude some events for the Windows Security log.

I'm filtering EventCode 4688, by message.  For compatibility reasons, I want to use the same inputs.conf file for all windows machines.  But Windows 11 has tweaked a couple event logs, and one of those is 4688.

For Windows 10 and below the following blacklist is working as expected:

blacklist1 = EventCode="4688" Message="Token Elevation Type:(?!\s*%%1937)"

This filters everything except %%1937.

But this won't work for Windows 11, because they have changed the Token Elevation Type to "TokenElevationTypeFull" for the previously "%%1937".  Therefore if a windows10 inputs.conf file ends up on a windows 11, it blacklists all the 4688 logs.

So simply, I would like to add the 2 lines together on a single line, so that if either TokenElevationType is found, it goes through.  But the "|" operator doesn't seem to be working, or I'm not doing the correct syntax.

blacklist1 = EventCode="4688" Message="Token Elevation Type:(?!\s*%%1937)"
blacklist1 = EventCode="4688" Message="Token Elevation Type:(?!\s*TokenElevationTypeFull)"

 

Can anyone help marry these 2 checks with an OR operator?

 

Thank you

Labels (2)
Labels
0 Karma
Reply

icewolf69
Loves-to-Learn Everything
‎01-12-2022 11:02 AM

I think i've figured it out, just went a different direction with deny/allow syntax.  I'm not sure if this is more CPU intensive than the first method since it would be checking 4 conditions instead of 2...

blacklist1 = EventCode="4688" Message="%%1936|%%1938|TokenElevationTypeDefault|TokenElevationTypeLimited"

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...