Using the following inputs.conf on a Splunk forwarder;
[WinEventLog://Security]
index = wineventlog_test
start_from = oldest
current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 5
# Windows 7 = 4688, 489
# Windows XP = 592, 593
whitelist1 = EventCode="4688|4689|592|593"
This will pull the 4 event codes just fine. However, I am trying to filter any events created by the "NT AUTHORITY\SYSTEM" and "SYSTEM" accounts.
The documentation on the WinEventCode input points to using a limited set of specific keys to filter only, and none of them have worked. For example;
blacklist1 = User="NT\sAUTHORITY\\SYSTEM|SYSTEM"
OR
blacklist1 = Sid="S\-1\-5\-18"
Here is the documentation link; http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/MonitorWindowsdata#Create_advanced_filters_wi...
We are attempting to index USER process creation and closures. These accounts do not represent users, so we do not want to index them. These service account events are 90% of the indexed data. So filtering these out will significantly reduce traffic and license usage.
Is there a way to simply filter the raw input? Is there a way to configure the forwarder to ignore EventLog records that contain a RegEx match at all?
The nullQueue may be a way to handle this situation. I'm by no means an expert, but I used it to remove users that end in dollar signs. I'm sure it would be easy to adapt this to your needs.
In my props.conf,
[source::WinEventLog:Security]
TRANSFORMS-remove-unwanted-users = unwanted-users-to-nullQ
In transforms.conf:
[unwanted-users-to-nullQ]
REGEX = Account\s{1}Name:.*\$
DEST_KEY = queue
FORMAT = nullQueue
Now, keep in mind that the way I'm doing it ALL items from source::WinEventLog:Security will be filtered like this. That may or may not be what you want, but it is what I've got set up.
The nullQueue may be a way to handle this situation. I'm by no means an expert, but I used it to remove users that end in dollar signs. I'm sure it would be easy to adapt this to your needs.
In my props.conf,
[source::WinEventLog:Security]
TRANSFORMS-remove-unwanted-users = unwanted-users-to-nullQ
In transforms.conf:
[unwanted-users-to-nullQ]
REGEX = Account\s{1}Name:.*\$
DEST_KEY = queue
FORMAT = nullQueue
Now, keep in mind that the way I'm doing it ALL items from source::WinEventLog:Security will be filtered like this. That may or may not be what you want, but it is what I've got set up.
Hi, I know this was long ago, but it's the above transform regex for users ending in $
?
I have the same problem as the original poster. There is no clear answers anywhere to what I believe would be a very common problem.
I too have tried regex in inputs.conf with no luck. I want to try the props and transforms on the indexers but I want to be sure I'm doing the right thing.
I don't want to index specifically event codes 4624 and 4634 for users that end in $
Eg. P62134$
Thankyou if you or anyone is out there to clarify
Have you tried this with just "blacklist" instead of "blacklist1"? I am not 100% sure, but I believe your first blacklist/whitelist entry in the list cannot have a sequence number.
So, this should work:
blacklist = User=<yourRegEx1>
blacklist1 = User=<yourRegEx2>
blacklist2 = User=<yourRegEx3>
while this likely will not work:
blacklist1 = User=<yourRegEx1>
blacklist2 = User=<yourRegEx2>
blacklist3 = User=<yourRegEx3>
I further believe that sequence numbers cannot have gaps in them, but you don't have that anyways.
Edit: Now I see your whitelist1 = appears to work, so there goes this theory. 😉
I still tested your theory, however it did not make a difference. Thank you for your assistance though!