I have over 300 Universal forwarders and I'm getting several eventcode=5156 events errors. Is there a way to blacklist this event on a heavy forwarder? If not, what would be the best approach for blacklisting this event code?
Hi mrtolu6,
the best way is to insert the blacklisted value in your TA distributed to all the Universal Forwarders
blacklist = EventCode\=5156
(see https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Inputsconf)
Otherwise you could filter these events in your Heavy Forwarder:
props.conf
[your_sourcetype]
TRANSFORMS-set-remove_headers=set_OK,set_nullqueue
transforms.conf
[set_nullqueue]
REGEX=EventCode\=5156
DEST_KEY=queue
FORMAT=nullQueue
[set_OK]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue
Bye.
Giuseppe
Thanks Giuseppe for your response. I tried to do it on the heavy fwd but it did not work. Please see below to see what i inserted in the props.conf and transforms.conf file.
props.conf
[WinEventLog:Security]
TRANSFORMS-set-remove_headers=set_OK,set_nullqueue
transforms.conf
[set_nullqueue]
REGEX=EventCode=5156
DEST_KEY=queue
FORMAT=nullQueue
[set_OK]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue
please disregard, it did work. Thanks for your help.
Hi @mrtolu6
Glad you found a working solution through @cusello. Please don't forget to resolve the post by clicking "Accept" directly below his answer, and upvote his answer for helping you out.
Patrick