Getting Data In

Why are blacklisted 4663 and 4660 events still showing up?

zward
Path Finder

I am hoping someone can help me out with a filtering blacklist issue I am having. I am currently filtering out event codes 4663 and 4660 so that splunk.exe (splunkd.exe, mcshield.exe, and a few other) processes are blacklisted and not sent, as Splunk is recording itself (splunkd.exe) accessing the Splunk directory every single time a file is touched or written (thousands of events per minute).

Every time Splunk receives a file or log, it records and updates the index, which creates more log files with event codes 4663 and 4660. As you can imagine this is a massive amount of data being logged. Event codes 4660 and 4663 are for objects that are accessed. I have applied the blacklists below, however I am still seeing results when I search for the event codes. Below are my blacklists, any idea why these events are still showing up, maybe there is an issue with my blacklist?

blacklist3 = EventCode="4663" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:splunkd|splunk|locktest|mongod|python|splunk\-(?:optimize|winevtlog))\.exe)"
blacklist4 = EventCode="4663" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Common Files\\McAfee\\SystemCore\\(?:mcshield).exe)"
blacklist5 = EventCode="4660" Message="Process_Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:splunkd|splunk|locktest|mongod|python|splunk\-(?:optimize|winevtlog))\.exe)"

I did multiple searches and was unable to find an effective blacklist for event codes 4663 and 4660 that are granular enough to exclude splunkd.exe. Also please note full hostname information has been excluded from the screenshot for security reasons.

Thank you for your help.

0 Karma
1 Solution

nickhills
Ultra Champion

Simply:

blacklist3 = EventCode="4663" Message="SplunkUniversalForwarder"

Is working in our environment.

edit:
Just to note - we are using the XML log format, however I believe the filtering occurs the same irrespective of the format though I have not tried it!

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

nickhills
Ultra Champion

Simply:

blacklist3 = EventCode="4663" Message="SplunkUniversalForwarder"

Is working in our environment.

edit:
Just to note - we are using the XML log format, however I believe the filtering occurs the same irrespective of the format though I have not tried it!

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

Did this help you? If you found it useful, please be sure to accept/upvote any posts which helped, as it provides useful feedback for future viewers of your question. Good luck!

If my comment helps, please give it a thumbs up!
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @zward,

Can you please provide one sample event for EventCode=4663 and 4660 ?

0 Karma

zward
Path Finder

Here is a sample event

4663:

12/13/2017 12:15:36 PM
    LogName=Security
    SourceName=Microsoft Windows security auditing.
    EventCode=4663
    EventType=0
    Type=Information
    ComputerName=SPLUNKPRD01
    TaskCategory=Removable Storage
    OpCode=Info
    RecordNumber=2992047793
    Keywords=Audit Success
    Message=An attempt was made to access an object.

    Subject:
        Security ID:        S-1-5-18
        Account Name:       SPLUNKPRD01$
        Account Domain:     TESTENV
        Logon ID:       0x3E7

    Object:
        Object Server:      Security
        Object Type:        File
        Object Name:        E:\Splunk\datastore\optiv\db\hot_v1_126\Hosts.data
        Handle ID:      0x4b0
        Resource Attributes:
    Process Information:
        Process ID:     0x8e8
        Process Name:       C:\Program Files\Splunk\bin\splunkd.exe

    Access Request Information:
        Accesses:       ReadData (or ListDirectory)

        Access Mask:        0x1

4660

12/13/2017 12:17:36 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4660
EventType=0
Type=Information
ComputerName=SPLUNKPRD01
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=2992128965
Keywords=Audit Success
Message=An object was deleted.

Subject:
    Security ID:        S-1-5-18
    Account Name:       SPLUNKPRD01$
    Account Domain:     TESTENV
    Logon ID:       0x3E7

Object:
    Object Server:  Security
    Handle ID:  0xfe8

Process Information:
    Process ID: 0x688
    Process Name:   C:\Program Files\Splunk\bin\splunkd.exe
    Transaction ID: {00000000-0000-0000-0000-000000000000}
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...