Getting Data In

Why is blacklisting Windows event logs on a deployment server not working?

nick405060
Motivator

I tried following the documentation for blacklisting Windows event logs in Splunk 6.3.1 without success. I tried editing Splunk/etc/system/local/inputs.conf as well as Splunk/etc/apps/Splunk_TA_windows/local

Tags (1)
1 Solution

nick405060
Motivator

I posted this question just so that I could answer it for the Splunk community in case it helps anyone else out. If someone could convert this to an answer that would be great. Copied and pasted from an email to a coworker:

Here’s some notes regarding blacklisting in Splunk (note that this differs sharply from the official/flawed 6.3.1 documentation).

-Blacklisting forwarded Windows event logs on the deployment server needs to be done in Splunk/etc/deployment-apps/Splunk_TA_windows/local/inputs.conf, followed by either a Splunk reboot or “splunk reload deploy-server” (note that I cannot get the command to work in PowerShell)
-Your first blacklist (blacklist, not blacklist1) is the only line that can take a list of event IDs.
-----blacklist = 0-4623,4625-100000
-Numbered blacklists, up to and including blacklist9, take regular expressions, but they need to be surrounded by % instead of quotation marks. Also note that wildcards are not accepted as they are in a Splunk search or Splunk XML (e.g. blacklist1 = Message=%*thingtofind*%), they need to be a strict regex (e.g. .* or [\s\S]*)
-----blacklist1 = Message=%[\s\S]*Account Name:\s*(ABCEX|Mimecast_MSESvc|APMMONITOR|ABCDC|DEF)[\s\S]*%
-You can only blacklist on: Category CategoryString ComputerName EventCode EventType Keywords LogName Message OpCode RecordNumber Sid SidType SourceName TaskCategory Type User

Cheers,

View solution in original post

MuS
SplunkTrust
SplunkTrust

If you want to deploy the modified inputs.conf to deployment clients, you must put the changed app into $SPLUNK_HOME/etc/deployment-apps/YourAppNameHere/local and configure a server class to deploy it.

cheers, MuS

nick405060
Motivator

I posted this question just so that I could answer it for the Splunk community in case it helps anyone else out. If someone could convert this to an answer that would be great. Copied and pasted from an email to a coworker:

Here’s some notes regarding blacklisting in Splunk (note that this differs sharply from the official/flawed 6.3.1 documentation).

-Blacklisting forwarded Windows event logs on the deployment server needs to be done in Splunk/etc/deployment-apps/Splunk_TA_windows/local/inputs.conf, followed by either a Splunk reboot or “splunk reload deploy-server” (note that I cannot get the command to work in PowerShell)
-Your first blacklist (blacklist, not blacklist1) is the only line that can take a list of event IDs.
-----blacklist = 0-4623,4625-100000
-Numbered blacklists, up to and including blacklist9, take regular expressions, but they need to be surrounded by % instead of quotation marks. Also note that wildcards are not accepted as they are in a Splunk search or Splunk XML (e.g. blacklist1 = Message=%*thingtofind*%), they need to be a strict regex (e.g. .* or [\s\S]*)
-----blacklist1 = Message=%[\s\S]*Account Name:\s*(ABCEX|Mimecast_MSESvc|APMMONITOR|ABCDC|DEF)[\s\S]*%
-You can only blacklist on: Category CategoryString ComputerName EventCode EventType Keywords LogName Message OpCode RecordNumber Sid SidType SourceName TaskCategory Type User

Cheers,

cstump_splunk
Splunk Employee
Splunk Employee

one the PowerShell comment, you make sure you cd to the Splunk bin directory and that you dot source the Splunk binary:

./splunk reload deploy-server

Also, run PS with elevated permissions

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...