When attempting to use the following suggestion on blacklisting 4662 events, I run into an error in splunkd.log
http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/
I have the UF 6.1.1 installed on my dc's.
Error:
07-15-2014 10:37:30.358 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - Processing: 'blacklist1', failed to find delimeter '4' in regex '4662 Message="Object Type:\s+(?!groupPolicyContainer)"' for key 'EventCode '. Discarding.
inputs.conf:
[WinEventLog://Security]
checkpointInterval = 5
disabled = 0
start_from = oldest
current_only = 1
index = dclogs
maxKBps=0
evt_resolve_ad_obj = 0
evt_dc_name = localhost
blacklist1 = EventCode=4662 Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode=566 Message="Object Type:\s+(?!groupPolicyContainer)"
I think that the regex is missing a pair of quotations. I think that the blacklist lines should look like:
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
That would explain the error message with the 4 being picked up as a delimeter instead.
Could you post relevant configs?