Solved: How to Blacklist on a Universal Forwarder with a T...

pfabrizi · ‎08-20-2018

I have a UF running on a linux device, with a TCP input. The input is coming from a Graylog forwarder and all the windows events coming with a 'winlogbeat_ preface.

I want to black list windows events coming by event code and normally I use a blacklist -= EventCode="xxxx" Message=....

however the eventcode comes in as winlogbeat_event_id,
I did try this:
blacklist1= winlogbeat_event_id = "4662"

This doesn't appear to work.

Can someone help with this?

Is there any log that shows events being whitelisted or blacklisted?

Thank You!

FrankVl · ‎08-20-2018

TCP inputs cannot be filtered with blacklists like that. That only works for WinEventLog inputs.

Perhaps that Graylog forwarder you use can perform some filtering? Otherwise you would have to look at dropping the unwanted events at your Indexers, by routing them to the nullqueue: http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Discard_specific_e...

View solution in original post

FrankVl · ‎08-20-2018

TCP inputs cannot be filtered with blacklists like that. That only works for WinEventLog inputs.

Perhaps that Graylog forwarder you use can perform some filtering? Otherwise you would have to look at dropping the unwanted events at your Indexers, by routing them to the nullqueue: http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Discard_specific_e...

pfabrizi · ‎08-20-2018

Thank You, they can whitelist but not black list or that is what they told us.

Thank You!

FrankVl · ‎08-20-2018

whitelist = foo also doesn't work on a UF TCP input.

How to Blacklist on a Universal Forwarder with a TCP input?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes