Hello,
I am using Splunk Enterprise 6.2.3 Universal Forwarder to monitor events from the Security log on a Windows server. I need to be able to blacklist all events with SourceName = "Microsoft Windows security auditing." and SourceName="Microsoft-Windows-Eventlog". Can this be done? I can blacklist EventCode with a UF but the SourceName doesn't seem to work. Thanks!
This works...
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4747"
blacklist2 = EventCode="4858"
This does not...
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = SourceName="Microsoft-Windows-Eventlog"
blacklist2 = SourceName="Microsoft Windows security auditing."
I wonder, does it see the "." in your blacklist2 item and believes that's a regex?
It may be worth trying one of the following:
blacklist1 = SourceName="Microsoft-Windows-Eventlog"
blacklist2 = SourceName="Microsoft Windows security auditing\."
or
blacklist1 = SourceName="Microsoft-Windows-Eventlog"
blacklist2 = SourceName="Microsoft Windows security auditing"
I really don't know precisely HOW it determines if your lines fits the non-regex or the regex filtering way. (As per docs)
Hi All,
I got it to work by adding a regex statement to the blacklist.
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist = SourceName="^Microsoft.*$"