Blacklists and suppress_text in Splunk 6.2.4 are not working for me on a heavy forwarder.
my inputs.conf is:
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
blacklist = 5152-5158
suppress_text = 1
...
And I've also tried
[WMI:WinEventLog:Security]
blacklist = 5156-5158
disabled = false
suppress_text = 1
and many variations on the source. The blacklist and suppress_text are doing nothing. I still get firewall events I don't want to see.
Suggestions please.
It would help if you posted the exact error log text but if it is as you are saying then my guess is that you are using an older version of splunk that does not support that blacklist format. I say this because the documentation for the latest version of Splunk clearly supports it:
Either that or you do not have a proper Heavy Forwarder binary installed (maybe Splunk makes the Universal/Light Forwarder treat incompatible settings as though they are nonsensical, which is what this log is saying).
Well, you clearly missed that I was running 6.2.4. Unless there is a secret version, it clearly does not work with 6.2.4 and the Heavy Forwarder pulling the logs from the Windows systems and applying the blacklist rules. Something is wrong here.
Restarting splunk in a command prompt: Invalid key stanza for the blacklist line
Well, now I know why its not working. It's being ignored.
Now how do I fix it?
Added the Splunk for windows add-on. Ok blacklist stanza error is now gone. Blacklist in inputs.conf
is
[WinEventLog://Security]
blacklist = 5156-5158
Accepted, but not working. Logs come through. Suspect it's because I'm pulling via WMI and its bypassing the rule
This looks all good to me (you do not need the disabled
line at all, BTW); did you restart your Splunk instances on your Forwarders?
That's just it: I'm using the Heavy Forwarder to pull the logs via WMI from the Windows machines. There are no other forwarders. It appears that when pulling from WMI only, blacklist and the suppress_text aren't available. I will see what the universal forwarder does in a bit.
Thanks for the comment though.