Solved: Re: What is wrong with my inputs.conf eventcode bl...

splunkIT · ‎08-01-2014

I have setup the following inputs.conf stanza :



[WinEventLog://Security] 

disabled=0 

current_only=1 

blacklist1=EventCode=4662 Message=”Object Type:\s+(?!groupPolicyContainer)”

but these events are still showing up in splunk when I search , what is the issue here?

I am using windows universal forwarder 6.1.1 and the latest windows-TA

kserra_splunk · ‎08-01-2014

The issue here is that the EventCode=4662 needs to be surrounded by some sort of delimiter , per the following in inputs.conf

In key/regex formn, the first character of the regex is the delimeter. Valid regexes look like:
%regex% regex "regex" etc. The only restriction is that the delimiter cannot be within the regex itself.

http://docs.splunk.com/Documentation/Splunk/6.1/Admin/Inputsconf

So if you instead add a delimiter , EventCode="4662" this will resolve the issue

blacklist1=EventCode="4662" Message=”Object Type:s+(?!groupPolicyContainer)”

should work

View solution in original post

kserra_splunk · ‎08-01-2014

The issue here is that the EventCode=4662 needs to be surrounded by some sort of delimiter , per the following in inputs.conf

In key/regex formn, the first character of the regex is the delimeter. Valid regexes look like:
%regex% regex "regex" etc. The only restriction is that the delimiter cannot be within the regex itself.

http://docs.splunk.com/Documentation/Splunk/6.1/Admin/Inputsconf

So if you instead add a delimiter , EventCode="4662" this will resolve the issue

blacklist1=EventCode="4662" Message=”Object Type:s+(?!groupPolicyContainer)”

should work

splunkIT · ‎08-01-2014

Thanks bro. That did it for me.

What is wrong with my inputs.conf eventcode blacklist?

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification