Hello
Can someone write here the steps and what files do i have to edit in order filter windows events ?
Tnx
Hey vad34,
You can use something like this in your inputs.conf:
[WinEventLog://Security]
disabled=0
current_only=1
blacklist1=EventCode="4662" Message=”Object Type:\s+(?!groupPolicyContainer)”
The reference I'm grabbing from is this blog post:
http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/
This is a little more elegant, but it's specific to WinEventLog data. jmallorquin's solution is universal to any data source.
Yes , I restarted the whole splunk server
Other silly question... what versión of universal forwarder are you running?
If you still have problems use my method 🙂
Hi , the version is 6.3.2
And your stanza is
[WinEventLog:Security] OR [WinEventLog://Security]
Becouse the first one is incorrect
my stanza is [WinEventLog:Security] , i will correct it now and check, update soon.
btw , only need to edit in /opt/splunk/etc/system/local/inputs.conf or also in win app - /opt/splunk/etc/apps/splunk_app_windows_infrastructure and in /opt/splunk/etc/apps/Splunk_TA_windows ?
system local configuration persist over ALL
Ok will correct it now and update you..
i followed the blog, i don't have group policy so i configured this:
[WinEventLog:Security]
disabled = 0
current_only=1
blacklist1=EventCode="4726"
but still getting the events in splunk
any ideas?
Silly question – have you restarted the forwarder?
Hi,
Here you have a good example
https://answers.splunk.com/answers/335000/how-could-i-filter-network-firewall-data-using-a-f.html#an...
Hope help you
Tnx for quick reply,appreciate it!
i configured the following config in inputs.conf :
host = mysplunk
[splunktcp://9997]
[WinEventLog:System]
disabled = 0
whitelist = 7036-7037
blacklist = 0-7035,7037-10000
[WinEventLog:Security]
disabled = 0
whitelist = 0-1
blacklist = 4725-4800
I configured it in /opt/splunk/etc/system/local/inputs.conf , restarted splunk and still get unrelevant events
i copied to the /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf and to /opt/splunk/etc/apps/splunk_app_windows_infrastructure/local/inputs.conf , restarted splunk and still the same
Do i have to edit props.conf and transforms.conf ?
Tnx in advance
The above looks good. try running this command
./splunk cmd btool inputs list --debug
and checking the output to see if the inputs arent being overruled by another blacklist setting in conf files in other splunk apps.
Hi
Here is the output fragment of the debug command,
host = splunk-102
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf index = w indows
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf maxSocket s = 0
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf maxThread s = 0
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf port = 80 88
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = po rt
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf useDeploy mentServer = 0
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinPrint Mon://printer]
/opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf baseline = 1
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf dedicated IoThreads = 2
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf enableSSL = 1
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf evt_dc_na me =
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf evt_dns_n ame =
host = splunk-102
How can i define if the input arent being overruled?
Tnx