- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Heavy Forwarder Pulling Windows events: blacklist ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Heavy Forwarder Pulling Windows events: blacklist not working
Blacklists and suppress_text in Splunk 6.2.4 are not working for me on a heavy forwarder.
my inputs.conf is:
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
blacklist = 5152-5158
suppress_text = 1
...
And I've also tried
[WMI:WinEventLog:Security]
blacklist = 5156-5158
disabled = false
suppress_text = 1
and many variations on the source. The blacklist and suppress_text are doing nothing. I still get firewall events I don't want to see.
Suggestions please.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would help if you posted the exact error log text but if it is as you are saying then my guess is that you are using an older version of splunk that does not support that blacklist format. I say this because the documentation for the latest version of Splunk clearly supports it:
Either that or you do not have a proper Heavy Forwarder binary installed (maybe Splunk makes the Universal/Light Forwarder treat incompatible settings as though they are nonsensical, which is what this log is saying).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, you clearly missed that I was running 6.2.4. Unless there is a secret version, it clearly does not work with 6.2.4 and the Heavy Forwarder pulling the logs from the Windows systems and applying the blacklist rules. Something is wrong here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Restarting splunk in a command prompt: Invalid key stanza for the blacklist line
Well, now I know why its not working. It's being ignored.
Now how do I fix it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Added the Splunk for windows add-on. Ok blacklist stanza error is now gone. Blacklist in inputs.conf
is
[WinEventLog://Security]
blacklist = 5156-5158
Accepted, but not working. Logs come through. Suspect it's because I'm pulling via WMI and its bypassing the rule
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This looks all good to me (you do not need the disabled line at all, BTW); did you restart your Splunk instances on your Forwarders?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's just it: I'm using the Heavy Forwarder to pull the logs via WMI from the Windows machines. There are no other forwarders. It appears that when pulling from WMI only, blacklist and the suppress_text aren't available. I will see what the universal forwarder does in a bit.
Thanks for the comment though.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
