Getting Data In

Blacklisting EventCode=5156 with Source_Port=8

nathanpyun
Explorer

I am trying to blacklist Windows Security event ID 5156 with source port number 8, but does not seem working. Could anyone help me with this? Thank you in advance.

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode="5156" Source_Port=8
index = wineventlog
renderXml=false

lakromani
Builder

Source_port is not a valid key to use in blacklist

Taken from the manual:
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf?utm_source=answers&utm_medium=i...

Valid keys for the key=regex format:

  • The following keys are equivalent to the fields that appear in the text of the acquired events:
    • Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName, TaskCategory, Type, User

shawngarrettsgp
Path Finder

I'm struggling with a similar issue too, for me it seems to just be flatout blacklisting every 5156 EventCode at this point despite my 2nd regex criteria. I've tried both ways below.

blacklist = EventCode="5156" Destination_Address="172\.(20|21)\.3\.(57|58|59|9)"

blacklist = EventCode="5156" Message="Destination\ Address\:\ 172\.(20|21)\.3\.(57|58|59|9)"

0 Karma

shawngarrettsgp
Path Finder

I think my issue is that my UF's are still prior 6.1 😐 :'(
http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

0 Karma

asimagu
Builder

did you try escaping the double quotes ?

0 Karma

nathanpyun
Explorer

I tried by doing:

blacklist3 = EventCode=5156 Source_Port=8

blacklist3 = EventCode="5156 Source_Port=8"

blacklist3 = EventCode=""5156" Source_Port="8""

but none worked...

0 Karma

asimagu
Builder

in Splunk you usually escape characters with \, so if you want to escape a double quote you would type \"

0 Karma

asimagu
Builder

sorry, I just realised that this website escaped my escaping character.
I wanted to say that in Splunk you usually escape characters with a backslash before the character EventCode=\"4662\"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...