Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to blacklist events for a specific event code and task category?

nmohammed
Contributor
‎07-13-2018 11:52 AM

Trying to blacklist specific windows event logs based on event code and task category, but doesn't work .

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = winevents
renderXml=false
blacklist1=EventCode="5145" TaskCategory="(Detailed File Share|File Share)"

Example event - 

07/13/2018 11:22:01 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5140
EventType=0
Type=Information
ComputerName=SomeServer
TaskCategory=File Share
OpCode=Info
RecordNumber=5487448804
Keywords=Audit Success
Message=A network share object was accessed.

Subject:
    Security ID:        S-1-5-21-xxxxxxxxx-xxxxxx-xxxxxx-xxxx
    Account Name:       cz9_rmc_s3_CIFS$
    Account Domain:     domain
    Logon ID:       0x3D9AC95C1

Network Information:    
    Object Type:        File
    Source Address:     10.xxx.xx.xxx
    Source Port:        45088

Share Information:
    Share Name:     \\*\IPC$
    Share Path:     

Access Request Information:
    Access Mask:        0x1
    Accesses:       ReadData (or ListDirectory)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

CarsonZa
Contributor
‎07-13-2018 11:59 AM

try this

blacklist=EventCode=%^5145$% TaskCategory=%(Detailed File Share|File Share)%

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-13-2018 12:11 PM

Try using just blacklist instead of blacklist1. You can have upto 10 blacklist filters applied but it should start with blacklist, blacklist1, blacklist2...etc till blacklist9.

0 Karma
Reply
Solved! Jump to solution

nmohammed
Contributor
‎07-13-2018 03:36 PM

Tried this -

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = winevents
renderXml=false
blacklist1=EventCode="5145" TaskCategory="Detailed File Share"
blacklist1=EventCode="5145" TaskCategory="File Share"

Did not work. Still see the events come in.

0 Karma
Reply
Solved! Jump to solution
Solution

CarsonZa
Contributor
‎07-13-2018 11:59 AM

try this

blacklist=EventCode=%^5145$% TaskCategory=%(Detailed File Share|File Share)%

Reply
Solved! Jump to solution

gurulee
Explorer
‎08-07-2020 02:17 PM

Thank you for sharing. I found this helpful.

0 Karma
Reply
Solved! Jump to solution

nmohammed
Contributor
‎07-13-2018 04:33 PM

Actually this worked. I had two different EventCodes sending the Same Category.

Thanks @CarsonZa

Reply
Solved! Jump to solution

nmohammed
Contributor
‎07-13-2018 03:37 PM

Thanks , I tried it as well.. Did not work , still see the events come in.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...