Getting Data In

Is there a limit to the number of whitelist/blacklist configurations for security event ID filtering?

ITICSNORTH
Explorer

We are trying to configure event ID filtration for security events, but even after using the below configuration, there are few events which are present in blacklist that are getting generated in Splunk./ Please point out if I am missing something in my inputs.conf file.
Is there any limitation in creating number of blacklist ?
Do blacklist group have limitation of number event id in one black list group?

[default]
host = NLCIM007

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
suppress_text = o
whiltelist1 =4649,5378,5632,5633,4868,4869,4870,4871,4872,4873,4882,5145,5140,5142,5143,5144,4698,4699,4700,4701,
whiltelist2 =4705,4706,4707,4714,4911,4913,4950,4608,4609,4616,4621,4618,4816,5060,4777,4771,4790,4742,4743,4744,
whiltelist3 =4754,4755,4756,4757,4758,4764,4720,4722,4723,4725,4726,4738,4740,4767,4780,5712,4662,5136,5137,5138,5139,5141,4625
blacklist1 =4774,4775,4776,4768,4772,4769,4770,4783,4784,4785,4648,4786,4787,4788,4789,4782,4793,4724,4765,4766,4781,
blacklist2 =5453,4654,4977,5451,5452,4634,4647,4626,6272,6273,6274,6275,6276,6277,6278,6279,6280,4778,4779,4800,
blacklist3 =5152,5153,4656,4658,4690,4671,4691,5149,5888,5889,5890,5039,4709,4710,4711,4712,5040
blacklist4 =4664,4985,5051,5031,5150,5151,5154,5155,5156,5157,5158,5159,4659,4660,4661,4663
blacklist5 =5041,5042,5043,5044,5045,5046,5047,5048,5440,5441,5442,5443,5444,5446,5448,5449,5450,5456,5457,5458,5459,5460,5461,5462,5463,5464,5465,5466,5467,5468,5471,5472,5473,5474,5477,4944,4945,4946,4947,5062,6281
blacklist6 =4801,4802,4803,4964,4665,4666,4667,4668,4818,4874,4875,4876,4877,4878,4879,4880,4881,4883,4884,4885,4886,4887,4888,4889,4890,4891,4892,4893,4894,4895,4896,4897,4898,5168,4948,4949,4950,4951,4952,4953,4954,4956,4957,4958,4819,4909,4910,5063,5064,5065,5066,5067,6402,6403,6404,6405,6406,6407,6408,4610,4611,4614,4622,4697,4612,4615,5038,5056,5057,5061
blacklist7 =4794,5376,5377,4692,4693,4694,4695,4688,4696,4928,4929,4930,4931,4934,4935,4936,4937,4932,4933,4978,4979,4980,4981,4982,4983,4984,4646,4650,4651,4652,4653,4655,4976,5049,5068,5069,5070,5447,6144,6145,4670,4672,4673,4674,4960,4961,4962,4963,4965,5478,5479,5480,5483,5484,5485,5024,5025,5027,5028,5029,5030,5032,5033,5034,5035,5037,5058,5059,6400,6401
blacklist8 =4702,5148,4657,4715,4719,4817,4902,4904,4905,4906,4907,4908,4912,4713,4716,4717,4718,4739,4864,4865,4866,4867,4704
blacklist9 =4745,4746,4747,4748,4749,4750,4751,4752,4753,4759,4760,4761,4762,4727,4728,4729,4730,4731,4732,4733,4734,4735,4737

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

bseader
Explorer

Old question, but still I found it searching for workarounds. Actually there is a limit on UF's, 10 blacklist entries per stanza within inputs.conf. I've hit the limit and for some reason my regex searches cant be combined. Namely those constructed like blacklist = Message="myregex"

E.g. Blacklist1 = Message ="myregex"|EventCode="eventcode#" Message="Myotherregex" | etc does not parse. Only on separate lines do they work. It's this reason I've hit the limit.

0 Karma

bseader
Explorer

Anticipating a 'did you try?', I also tried enclosing in these ()

e.g. Blacklist1 = (Message ="myregex"|EventCode="eventcode#" Message="Myotherregex")

No joy

0 Karma

merp96
Path Finder

Hi

There is no limit in filtering.
We had similar issue.
You could combine all the whitelists and blacklists to improve readability.
Have a single whitelist and blacklist.
We resolved this by completing the ranges in the blacklist, so what ever is missing in the range in whitelist should be listed in blacklist.

A simple example

In the below we have included 5100-5102 in whitelist followed by 5104
So 5103 should be included in blacklist.
Also use ranges say 5100-5200 instead of adding them individually.

whitelist = 5100-5102,5104-5105,5108,xxx,xxxx,xxxx,xxxx,xxxx,xxxx,xxxx,xxxx
blacklist = 5103,5106 -5107,zzzz,zzzz,zzzz,zzzz,zzzz

Please accept the answer if this solves your issue.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...