Error with blacklisting 4662 events in inputs.conf

aelliott · ‎07-15-2014

When attempting to use the following suggestion on blacklisting 4662 events, I run into an error in splunkd.log

http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

I have the UF 6.1.1 installed on my dc's.

Error:

07-15-2014 10:37:30.358 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - Processing: 'blacklist1', failed to find delimeter '4' in regex '4662 Message="Object Type:\s+(?!groupPolicyContainer)"' for key 'EventCode '. Discarding.

inputs.conf:

[WinEventLog://Security]
checkpointInterval = 5
disabled = 0 
start_from = oldest
current_only = 1
index = dclogs
maxKBps=0
evt_resolve_ad_obj = 0
evt_dc_name = localhost
blacklist1 = EventCode=4662 Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode=566 Message="Object Type:\s+(?!groupPolicyContainer)"

phirayam · ‎07-31-2014

I think that the regex is missing a pair of quotations. I think that the blacklist lines should look like:

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"

That would explain the error message with the 4 being picked up as a delimeter instead.

Ayn · ‎07-15-2014

Could you post relevant configs?

Error with blacklisting 4662 events in inputs.conf

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases