I'm trying to whitelist a few event logs by eventcode as well as whitelist all events with the SourceName "AD FS Auditing". My config is as follows.
[WinEventLog://Security]
whitelist= 4624, 4625
whitelist1= SourceName="AD FS Auditing"
index=windows_evt
With this config any events i put in the first whitelist line work perfectly, but the second line is not functional. As a test if I add an event code that will have a SourceName of "AD FS Auditing"
(say EventCode=500) they come in just fine. I have tried various combinations of things for source name such as "^AD FS Auditing$"
and ".*AD FS Auditing.*"
with no success.
You are using both whitelist formats in the same stanza. That does not work, according to http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata.
You can specify one of two formats:
One or more Event Log event codes or event IDs (Event Code/ID format.)
One or more sets of keys and regular expressions (Advanced filtering format.)
You cannot mix formats in a single entry. You also cannot mix formats in the same stanza.
Try this instead:
[WinEventLog://Security]
whitelist= EventCode="4624|4625"
whitelist1= SourceName="AD FS Auditing"
index=windows_evt
Whitelisting for Wineventlog is a little bit tricky.
First of all you can whitelist only with these fields:
Category, CategoryString, ComputerName, EventCode, EventType, Keywords,
LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName,
TaskCategory, Type, User
Then the logic behind differen whitelist rules is like this:
whitelist OR whitelist1 OR whitelist2 OR .... OR whitelistN
where each whitelist rule logic is like this
rule1 AND rule2 AND ... AND ruleN
Here a concrete example:
whitelist = EventCode="4624|4625"
whitelist1 = SourceName="AD FS Auditing"
whitelist2 = Keywords="Audit Success" User="Bob Marley"
This translates to:
EventCode="4624|4625" OR SourceName="AD FS Auditing" OR (Keywords="Audit Success" AND User="Bob Marley")
You are using both whitelist formats in the same stanza. That does not work, according to http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata.
You can specify one of two formats:
One or more Event Log event codes or event IDs (Event Code/ID format.)
One or more sets of keys and regular expressions (Advanced filtering format.)
You cannot mix formats in a single entry. You also cannot mix formats in the same stanza.
Try this instead:
[WinEventLog://Security]
whitelist= EventCode="4624|4625"
whitelist1= SourceName="AD FS Auditing"
index=windows_evt
Hi jrlane,
probably there's an error in your regex: e.g. before brachets and equal you have to insert a backslash ().
Try your regex in https://regex101.com/ or in Splunk before insert it in whitelist.
Bye.
Giuseppe
Hi jrlane,
probably there's an error in your regex: e.g. before brachets and equal you have to insert a backslash ().
Try your regex in https://regex101.com/ or in Splunk before insert it in whitelist.
Bye.
Giuseppe
I don't see how regex could be the problem. Running this query "index="myindex" SourceName="AD FS Auditing" EventCode=500
I get the the results I need, there should be no regex required on SourceName, it's an exact string.
hi jrlane,
from http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
whitelist = **<regular expression>**
* If set, files from this input are monitored only if their path matches the specified regex.
* Takes precedence over the deprecated _whitelist setting, which functions the same way.
in white list you have to insert a regex not a string or a field as the one you used in your example index="myindex" SourceName="AD FS Auditing" EventCode=500
So if you use a rex command in your search instead of string you can see that your regex is wrong (backslashes before brachets and equal).
try using whitelist1= SourceName\=\"AD FS Auditing\"
in your inputs.conf.
You can verify this regex in this way:
using the regex of your whitelist, you don't have events
index="myindex" EventCode=500
| rex "SourceName="AD FS Auditing""
instead if you use the correct regex, you'll find events
index="myindex" EventCode=500
| rex "SourceName\=\"AD FS Auditing\""
Try it.
Bye.
Giuseppe