Hello All,
I have been trying to blacklist an event code from windows as follows... but the event keep on coming.
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4747"
blacklist2 = EventCode="5156"
Grateful to let me know what I am doing wrong.
Rgds.
Hi,
I know you ask for blacklist and I see why, but if this is not working for you, did you try sending to nullqueque on the Indexer?
props.conf
[WinEventLog:Security]
TRANSFORMS-<name>=<name_in_transforms>
transforms.conf
[<name_in_transforms>]
REGEX="EventCode=(4747|5156)"
DEST_KEY=queue
FORMAT=nullQueue
If you want to filter for more than the EventCode number, you can just add to the Regex, but you will need a (?s) infront, because of the new line characters in wineventlog events ( REGEX="(?s)EventCode=(4662|4634|4672).*Message=[....]
)
Hi,
I know you ask for blacklist and I see why, but if this is not working for you, did you try sending to nullqueque on the Indexer?
props.conf
[WinEventLog:Security]
TRANSFORMS-<name>=<name_in_transforms>
transforms.conf
[<name_in_transforms>]
REGEX="EventCode=(4747|5156)"
DEST_KEY=queue
FORMAT=nullQueue
If you want to filter for more than the EventCode number, you can just add to the Regex, but you will need a (?s) infront, because of the new line characters in wineventlog events ( REGEX="(?s)EventCode=(4662|4634|4672).*Message=[....]
)
Hi,
A quick update is that blacklist is working for my localhost events only. Sourcetype for localhost is coming as WinEventLog:Security.
inputs.conf:
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist = 4658
This works perfect and block all 4658 events.
However, I am collecting WMI event log security for other machines. Sourcetype in splunk is "WMI:WinEventLog://Security".
And these are not getting filtered.
P.S. I have splunk 7.2.3
Any ideas on how to make it work.
Rgds,
Just add to your inputs stanza for "WMI:WinEventLog://Security" your blacklist = 4658
.
Hi Dkeck,
Finally it works. Yes I had to add WMI:WinEventLog://Security and i used the props and transforms as you mentioned above and it works 🙂
Many thanks.
Than please be so kind and accept my inital answer 🙂
Thanks.
Sorry for some silly question. I am using splunk on windows. Where is the transforms.conf and props.conf found?
Also, I read that some are using splunkforwarder. Is that necessary to be used? Or can we add these blacklist / nullqueue to splunk only.
Rgds.
you set the nullQueue on your indexer. You can create your own transforms and props in any app you like.
Just place it in $SPLUNK_HOME/splunk/etc/apps/<your app>/local
. You would have to create your app and local directory OR you place it in $SPLUNK_HOME/splunk/etc/system/local
.
Don´t forget to restart after the changes 😉
I have added props and tranforms.conf in $SPLUNK_HOME/splunk/etc/system/local.
Am having the following error on restarting splunk:
Splunk> Map. Reduce. Recycle.
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
(skipping validation of index paths because not running as emtelorg\emteladmin)
Validated: _audit _internal _introspection _telemetry _thefishbucket history main summary
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\Splunk\etc\system\local\props.conf, line 3: {{TRANSFORMS-
Invalid key in stanza [
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
Done
Checking default conf files for edits...
Validating installed files against hashes from 'C:\Program Files\Splunk\splunk-7.2.3-06d57c595b80-windows-64-manifest'
All installed files intact.
Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
sry my anwers above had some formatting issues. Please copy the transforms and props code again I changed it.
don´t forget to change the "<name>"
values to your own names.