Getting Data In

Blacklist am event code on windows

irshadrahimbux
New Member

Hello All,

I have been trying to blacklist an event code from windows as follows... but the event keep on coming.

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4747"
blacklist2 = EventCode="5156"

Grateful to let me know what I am doing wrong.

Rgds.

0 Karma
1 Solution

dkeck
Influencer

Hi,

I know you ask for blacklist and I see why, but if this is not working for you, did you try sending to nullqueque on the Indexer?

props.conf

 [WinEventLog:Security]

 TRANSFORMS-<name>=<name_in_transforms>

transforms.conf

 [<name_in_transforms>]

 REGEX="EventCode=(4747|5156)"


 DEST_KEY=queue

 FORMAT=nullQueue

If you want to filter for more than the EventCode number, you can just add to the Regex, but you will need a (?s) infront, because of the new line characters in wineventlog events ( REGEX="(?s)EventCode=(4662|4634|4672).*Message=[....] )

View solution in original post

0 Karma

dkeck
Influencer

Hi,

I know you ask for blacklist and I see why, but if this is not working for you, did you try sending to nullqueque on the Indexer?

props.conf

 [WinEventLog:Security]

 TRANSFORMS-<name>=<name_in_transforms>

transforms.conf

 [<name_in_transforms>]

 REGEX="EventCode=(4747|5156)"


 DEST_KEY=queue

 FORMAT=nullQueue

If you want to filter for more than the EventCode number, you can just add to the Regex, but you will need a (?s) infront, because of the new line characters in wineventlog events ( REGEX="(?s)EventCode=(4662|4634|4672).*Message=[....] )

0 Karma

irshadrahimbux
New Member

Hi,

A quick update is that blacklist is working for my localhost events only. Sourcetype for localhost is coming as WinEventLog:Security.
inputs.conf:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist = 4658

This works perfect and block all 4658 events.

However, I am collecting WMI event log security for other machines. Sourcetype in splunk is "WMI:WinEventLog://Security".
And these are not getting filtered.

P.S. I have splunk 7.2.3

Any ideas on how to make it work.

Rgds,

0 Karma

dkeck
Influencer

Just add to your inputs stanza for "WMI:WinEventLog://Security" your blacklist = 4658.

0 Karma

irshadrahimbux
New Member

Hi Dkeck,

Finally it works. Yes I had to add WMI:WinEventLog://Security and i used the props and transforms as you mentioned above and it works 🙂

Many thanks.

0 Karma

dkeck
Influencer

Than please be so kind and accept my inital answer 🙂

0 Karma

irshadrahimbux
New Member

Thanks.
Sorry for some silly question. I am using splunk on windows. Where is the transforms.conf and props.conf found?

Also, I read that some are using splunkforwarder. Is that necessary to be used? Or can we add these blacklist / nullqueue to splunk only.

Rgds.

0 Karma

dkeck
Influencer

you set the nullQueue on your indexer. You can create your own transforms and props in any app you like.

Just place it in $SPLUNK_HOME/splunk/etc/apps/<your app>/local. You would have to create your app and local directory OR you place it in $SPLUNK_HOME/splunk/etc/system/local.

Don´t forget to restart after the changes 😉

0 Karma

irshadrahimbux
New Member

I have added props and tranforms.conf in $SPLUNK_HOME/splunk/etc/system/local.

Am having the following error on restarting splunk:

Splunk> Map. Reduce. Recycle.

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
(skipping validation of index paths because not running as emtelorg\emteladmin)
Validated: _audit _internal _introspection _telemetry _thefishbucket history main summary
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\Splunk\etc\system\local\props.conf, line 3: {{TRANSFORMS- (value: ).
Invalid key in stanza [] in C:\Program Files\Splunk\etc\system\local\transforms.conf, line 3: {{REGEX (value: "EventCode=(5156|4634|4672)").
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
Done
Checking default conf files for edits...
Validating installed files against hashes from 'C:\Program Files\Splunk\splunk-7.2.3-06d57c595b80-windows-64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...

0 Karma

dkeck
Influencer

sry my anwers above had some formatting issues. Please copy the transforms and props code again I changed it.

don´t forget to change the "<name>" values to your own names.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...