I am hoping someone can help me out with a filtering blacklist issue I am having. I am currently filtering out event codes 4663 and 4660 so that splunk.exe (splunkd.exe, mcshield.exe, and a few other) processes are blacklisted and not sent, as Splunk is recording itself (splunkd.exe) accessing the Splunk directory every single time a file is touched or written (thousands of events per minute).
Every time Splunk receives a file or log, it records and updates the index, which creates more log files with event codes 4663 and 4660. As you can imagine this is a massive amount of data being logged. Event codes 4660 and 4663 are for objects that are accessed. I have applied the blacklists below, however I am still seeing results when I search for the event codes. Below are my blacklists, any idea why these events are still showing up, maybe there is an issue with my blacklist?
blacklist3 = EventCode="4663" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:splunkd|splunk|locktest|mongod|python|splunk\-(?:optimize|winevtlog))\.exe)"
blacklist4 = EventCode="4663" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Common Files\\McAfee\\SystemCore\\(?:mcshield).exe)"
blacklist5 = EventCode="4660" Message="Process_Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:splunkd|splunk|locktest|mongod|python|splunk\-(?:optimize|winevtlog))\.exe)"
I did multiple searches and was unable to find an effective blacklist for event codes 4663 and 4660 that are granular enough to exclude splunkd.exe. Also please note full hostname information has been excluded from the screenshot for security reasons.
Thank you for your help.
Simply:
blacklist3 = EventCode="4663" Message="SplunkUniversalForwarder"
Is working in our environment.
edit:
Just to note - we are using the XML log format, however I believe the filtering occurs the same irrespective of the format though I have not tried it!
Simply:
blacklist3 = EventCode="4663" Message="SplunkUniversalForwarder"
Is working in our environment.
edit:
Just to note - we are using the XML log format, however I believe the filtering occurs the same irrespective of the format though I have not tried it!
Did this help you? If you found it useful, please be sure to accept/upvote any posts which helped, as it provides useful feedback for future viewers of your question. Good luck!
Hi @zward,
Can you please provide one sample event for EventCode=4663 and 4660 ?
Here is a sample event
4663:
12/13/2017 12:15:36 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4663
EventType=0
Type=Information
ComputerName=SPLUNKPRD01
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=2992047793
Keywords=Audit Success
Message=An attempt was made to access an object.
Subject:
Security ID: S-1-5-18
Account Name: SPLUNKPRD01$
Account Domain: TESTENV
Logon ID: 0x3E7
Object:
Object Server: Security
Object Type: File
Object Name: E:\Splunk\datastore\optiv\db\hot_v1_126\Hosts.data
Handle ID: 0x4b0
Resource Attributes:
Process Information:
Process ID: 0x8e8
Process Name: C:\Program Files\Splunk\bin\splunkd.exe
Access Request Information:
Accesses: ReadData (or ListDirectory)
Access Mask: 0x1
4660
12/13/2017 12:17:36 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4660
EventType=0
Type=Information
ComputerName=SPLUNKPRD01
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=2992128965
Keywords=Audit Success
Message=An object was deleted.
Subject:
Security ID: S-1-5-18
Account Name: SPLUNKPRD01$
Account Domain: TESTENV
Logon ID: 0x3E7
Object:
Object Server: Security
Handle ID: 0xfe8
Process Information:
Process ID: 0x688
Process Name: C:\Program Files\Splunk\bin\splunkd.exe
Transaction ID: {00000000-0000-0000-0000-000000000000}