How to configure inputs.conf to blacklist "Account...

egm05 · ‎04-19-2016

Splunk 6.2.6 inputs.conf blacklisting
Viewed numerous blogs and answers on similar topics, but can't come up the correct string for my need. Also looked at the inputs.conf spec.

Event 4656, the Account Name: field, I don't want to see computer names. In the "Account Name" field, all computers begin with a common word which I'll call "junk" for the purposes of this post and end with a "$".

blacklist = EventCode=4656 Message="Object Type:\s+(junk*$)"

I've tried a couple dozen other methods and iterations all with no success. Would appreciate any help as this item is crushing my license!

egm05 · ‎04-21-2016

Sorry for the 24 hour delay in posting this. Apparently my thanking two people for responding used the two daily posts I get. So here is the solution:

Thank you everyone for your thought, time and effort. Was my first post so I missed a few key things, but in the end this is the string that worked. I'm not sure why the solutions in the posted links above and from "maciep" didn't work. Here is what did:

blacklist1 = EventCode="4656" Message=".*[\S\s]*Account\sName:\s+[\S+]+[\$]"

Again, not sure why I had to get so specific and not be able to run the examples provided.

Thanks again everyone!

brandili · ‎09-04-2017

This expression worked perfectly for what I needed. I was able to filter logon from users ending with "$". Thank you for your contribution.

egm05 · ‎04-21-2016

Thank you everyone for your thought, time and effort. Was my first post so I missed a few key things, but in the end this is the string that worked. I'm not sure why the solutions in the posted links above and from "maciep" didn't work. Here is what did:

blacklist1 = EventCode="4656" Message=".*[\S\s]*Account\sName:\s+[\S+]+[\$]"

Again, not sure why I had to get so specific and not be able to run the examples provided.

Thanks again everyone!

maciep · ‎04-19-2016

couple thoughts....first, is it possible there's another blacklist entry on the box for that event log that is winning over yours? Might be worth running btool just to be sure. No need to pull your hair out if nothing you change is going to matter anyway.

second, doesn't the Account info come before the Object Type in the message? Meaning, do you want something like this maybe?

blacklist = EventCode=4656 Message="Account Name:\s+(junk*$)"

egm05 · ‎04-20-2016

Thanks for the response. What you've posted as an example is what I would have figured would work. Fortunately my configuration is a smaller one and very easy to control since I'm the only admin. I did not have any competing blacklists. Excellent point I didn't think to consider. I did come across a working solution though which I'll post below. Thank you very much for you time and effort.

somesoni2 · ‎04-19-2016

Take a look at this blogpost
http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

Also, look at all 3 unaccepted but upvoted answers here
https://answers.splunk.com/answers/152131/filter-windows-eventcode-using-blacklist-and-whitelist.htm...

stephanefotso · ‎04-19-2016

Hello! Please let's get a sample of your events.

Thanks

SGF

egm05 · ‎04-20-2016

Sorry for not posting a sample of event 4656. Should have been the first thing I did. I will know better for next time. Thank for the advise / response. Fortunately I now have my answer.

How to configure inputs.conf to blacklist "Account Name" field for EventCode 4656?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms