Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

When filtering Windows event logs, can you filter on fields other than EventCode, such as Account_Name?

kftaylor
Observer
‎10-07-2015 11:44 AM

Taken from inputs.conf on the deployment server:

blacklist1 = EventCode="4662" 
blacklist2 = EventCode="566"
blacklist3 = EventCode="4776"
blacklist4 = EventCode="4768"
blacklist5 = EventCode="4769"
blacklist6 = EventCode="5156"
blacklist7 = EventCode="4658"
blacklist8 = EventCode="4656"
blacklist9 = Account_Name="SERVICE-ACCOUNT-NAME"

The above blacklist works perfect for all EventCodes noted, but I am trying to blacklist activity (specifically high volumes of login events) for particular service accounts.

Is this possible?

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎10-07-2015 07:31 PM

I've used many of the items documented here. Though the whole document is a fabulously interesting and useful read, the parts I'd like to point out specifically are as follows.

In the section "Event log monitor configuration values" you'll find a description of the various ways to use blacklist/whitelist. In your case, nearly all of those events should be able to be combined into one "easy" syntax line.
blacklist1 = 566,4656,4658,4662,4768,4769,4776,5156

EXCEPT, you won't be able to do that because you want to use the advanced filters as described in the section "Create advanced filters with 'whitelist' and 'blacklist'". You can't mix the easy and the advanced ones together, not even as separate lines - one stanza can only have one type in it.

But that's OK because we can rewrite your new and improved blacklist1 above into regex style, and combine them all. You just have to know where to find it in the docs (search for "Event ID list format")!

Tell you what, I'll just paste in a stanza I have. I think you can figure it out from there.

[WinEventLog://Security]
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode=%^(4658|4663|5145|5156|5157)$%

Obviously, my blacklist3 line would be trivially adaptable to your new and extra-improved blacklist1 line. Just replace the numbers with your own (You'll even notice I blacklist a lot of the events you want to blacklist. Great minds think alike, eh?)

Once you have that, you can fiddle around with a blacklist2 line using the two keys that may be of use: ComputerName and User.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...