how to whitelist specific users who failed to log...

chanamoluk · ‎12-29-2016

i need only two users( nacuser,paloaltouid) data who failed to login to the servers to be indexed in splunk cloud .. please let me know whether the below configuration is correct or not.

and please provide me the exact configuration to index failed logs for those specific users.

inputs.conf

[WinEventLog://Security]
disabled = 0
whitelist1 = 4624
whitelist2 = "user = nacuser,paloaltouid"

niketn · ‎12-30-2016

The Key value pair for regular expression starts with upper case. In this case it should be User and not user.

whitelist2= User="nacuser"
whitelist3= User="paloaltouid"

OR

whitelist2= User="^nacuser$"
whitelist3= User="^paloaltouid$"

Further, if you have more than one values of the same key to be filtered, you should define separate Whitelists, since only the later will be used otherwise. Refer to the following is snippet from Splunk Documentation for the same:

http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Create_advanced_f...

Note: You cannot specify an entry that has more than one key/regular expression set that references the same key. If, for example, you specify:

whitelist = EventCode="^1([0-5])$" EventCode="^2([0-5])$"
Splunk Enterprise ignores the first set and only attempts to include events that match the second set. In this case, only events that contain an EventCode between 20 and 25 match. Events that contain an EventCode between 10 and 15 do not match. Only the last set in the entry ever matches. To resolve this problem, specify two separate entries in the stanza:

whitelist = EventCode="^1([0-5])$"
whitelist1 = EventCode="^2([0-5])$"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

chanamoluk · ‎01-03-2017

[WinEventLog://Security]
disabled = 0
index= activedirectory
whitelist = 4624,4625
whitelist1= User="^nacuser$"
whitelist2= User="^paloaltouid$"

i have used the same inputs.conf configaration , bit i haven't seen any filtered events indexing to splunk.
But when i exclude whitelist1,whitelist2 i can see all the events indexing to splunk.

Please let me know if i have to make any edits.

niketn · ‎01-03-2017

Was result the same for the following as well?

whitelist2= User="nacuser"
whitelist3= User="paloaltouid"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

chanamoluk · ‎01-03-2017

yes, stanzas where not indexing

niketn · ‎01-03-2017

can you try replacing double quotes with percent sign? Also try using just one Whitelist at a time.
If 4624,4625 are EventCodes, and you just keep whitelist=4624,4625 whether you see correct events or not. Similarly for just whitelist1 as whitelist and finally just for whitelist2 as whitelist.

whitelist1= User=%^nacuser$%
whitelist2= User=%^paloaltouid$%

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

chanamoluk · ‎01-04-2017

[WinEventLog://Security]
disabled = 0
index = activedirectory
whitelist = 4624,4625
whitelist = User=%^nacuser$%
whitelist = User=%^paloaltouid$%

i have used this stanza.. no events seen... User whitelist are not extracting any data

how to whitelist specific users who failed to login in "WinEventLog://Security"

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor