Getting Data In

Can I blacklist a SourceName on a Windows Security Log event using a Universal Forwarder?

Magnus_001
Explorer

Hello,

I am using Splunk Enterprise 6.2.3 Universal Forwarder to monitor events from the Security log on a Windows server. I need to be able to blacklist all events with SourceName = "Microsoft Windows security auditing." and SourceName="Microsoft-Windows-Eventlog". Can this be done? I can blacklist EventCode with a UF but the SourceName doesn't seem to work. Thanks!

This works...

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4747"
blacklist2 = EventCode="4858"

This does not...

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = SourceName="Microsoft-Windows-Eventlog"
blacklist2 = SourceName="Microsoft Windows security auditing."

0 Karma

Richfez
SplunkTrust
SplunkTrust

I wonder, does it see the "." in your blacklist2 item and believes that's a regex?

It may be worth trying one of the following:

blacklist1 = SourceName="Microsoft-Windows-Eventlog"
blacklist2 = SourceName="Microsoft Windows security auditing\."

or

blacklist1 = SourceName="Microsoft-Windows-Eventlog"
blacklist2 = SourceName="Microsoft Windows security auditing"

I really don't know precisely HOW it determines if your lines fits the non-regex or the regex filtering way. (As per docs)

0 Karma

Magnus_001
Explorer

Hi All,

I got it to work by adding a regex statement to the blacklist.

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist = SourceName="^Microsoft.*$"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...