Getting Data In

WinEventLog whitelisting by SourceName not working

jrlane
Engager

I'm trying to whitelist a few event logs by eventcode as well as whitelist all events with the SourceName "AD FS Auditing". My config is as follows.

[WinEventLog://Security]
whitelist= 4624, 4625
whitelist1= SourceName="AD FS Auditing"
index=windows_evt

With this config any events i put in the first whitelist line work perfectly, but the second line is not functional. As a test if I add an event code that will have a SourceName of "AD FS Auditing" (say EventCode=500) they come in just fine. I have tried various combinations of things for source name such as "^AD FS Auditing$" and ".*AD FS Auditing.*" with no success.

Labels (2)
0 Karma
1 Solution

spayneort
Contributor

You are using both whitelist formats in the same stanza. That does not work, according to http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata.

You can specify one of two formats:

One or more Event Log event codes or event IDs (Event Code/ID format.)

One or more sets of keys and regular expressions (Advanced filtering format.)
You cannot mix formats in a single entry. You also cannot mix formats in the same stanza.

Try this instead:

 [WinEventLog://Security]
 whitelist= EventCode="4624|4625"
 whitelist1= SourceName="AD FS Auditing"
 index=windows_evt

View solution in original post

sonny_monti
Path Finder

Whitelisting for Wineventlog is a little bit tricky.

First of all you can whitelist only with these fields:
Category, CategoryString, ComputerName, EventCode, EventType, Keywords,
LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName,
TaskCategory, Type, User

Then the logic behind differen whitelist rules is like this:

whitelist OR whitelist1 OR whitelist2 OR .... OR whitelistN

where each whitelist rule logic is like this

rule1 AND rule2 AND ... AND ruleN

Here a concrete example:

whitelist = EventCode="4624|4625"
whitelist1 = SourceName="AD FS Auditing"
whitelist2 = Keywords="Audit Success" User="Bob Marley"

This translates to:

EventCode="4624|4625" OR SourceName="AD FS Auditing" OR (Keywords="Audit Success" AND User="Bob Marley")

0 Karma

spayneort
Contributor

You are using both whitelist formats in the same stanza. That does not work, according to http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata.

You can specify one of two formats:

One or more Event Log event codes or event IDs (Event Code/ID format.)

One or more sets of keys and regular expressions (Advanced filtering format.)
You cannot mix formats in a single entry. You also cannot mix formats in the same stanza.

Try this instead:

 [WinEventLog://Security]
 whitelist= EventCode="4624|4625"
 whitelist1= SourceName="AD FS Auditing"
 index=windows_evt

gcusello
SplunkTrust
SplunkTrust

Hi jrlane,
probably there's an error in your regex: e.g. before brachets and equal you have to insert a backslash ().

Try your regex in https://regex101.com/ or in Splunk before insert it in whitelist.

Bye.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi jrlane,
probably there's an error in your regex: e.g. before brachets and equal you have to insert a backslash ().

Try your regex in https://regex101.com/ or in Splunk before insert it in whitelist.

Bye.
Giuseppe

0 Karma

jrlane
Engager

I don't see how regex could be the problem. Running this query "index="myindex" SourceName="AD FS Auditing" EventCode=500 I get the the results I need, there should be no regex required on SourceName, it's an exact string.

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi jrlane,
from http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

whitelist = **<regular expression>**
* If set, files from this input are monitored only if their path matches the specified regex.
* Takes precedence over the deprecated _whitelist setting, which functions the same way.

in white list you have to insert a regex not a string or a field as the one you used in your example index="myindex" SourceName="AD FS Auditing" EventCode=500
So if you use a rex command in your search instead of string you can see that your regex is wrong (backslashes before brachets and equal).
try using whitelist1= SourceName\=\"AD FS Auditing\" in your inputs.conf.

You can verify this regex in this way:
using the regex of your whitelist, you don't have events

index="myindex" EventCode=500
| rex "SourceName="AD FS Auditing""

instead if you use the correct regex, you'll find events

index="myindex" EventCode=500
| rex "SourceName\=\"AD FS Auditing\""

Try it.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...