Getting Data In

Error with blacklisting 4662 events in inputs.conf

aelliott
Motivator

When attempting to use the following suggestion on blacklisting 4662 events, I run into an error in splunkd.log

http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

I have the UF 6.1.1 installed on my dc's.

Error:

07-15-2014 10:37:30.358 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - Processing: 'blacklist1', failed to find delimeter '4' in regex '4662 Message="Object Type:\s+(?!groupPolicyContainer)"' for key 'EventCode '. Discarding.

inputs.conf:

[WinEventLog://Security]
checkpointInterval = 5
disabled = 0 
start_from = oldest
current_only = 1
index = dclogs
maxKBps=0
evt_resolve_ad_obj = 0
evt_dc_name = localhost
blacklist1 = EventCode=4662 Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode=566 Message="Object Type:\s+(?!groupPolicyContainer)"
0 Karma

phirayam
Engager

I think that the regex is missing a pair of quotations. I think that the blacklist lines should look like:

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"

That would explain the error message with the 4 being picked up as a delimeter instead.

Ayn
Legend

Could you post relevant configs?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...