- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- getting bombarded with windows security error code...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
getting bombarded with windows security error code 5156 and 5157 (Win security)
Hello All,
I have a distributed system where i have a heavy forwarder collecting traffic from the UF's and forwarding events to the indexer. I have a DMC which is on another server. Currently im getting bombarded with 5156 and 5157 error messages from windows security. Ive read somwhere that i can blacklist the values on inputs.conf. Can someone please let me know on which inputs.conf file on which server i have to do the blacklist on? Alternatively is there any other method to control this constant flow of data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ranjitbrhm1, add the following blacklist to your inputs.conf stanza to filter out events from UF:
blacklist = 5156,5157
Refer to documentation:
http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_the_Security_...
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the answer @niketnilay as always. I really appreciate it. But my main problem is on which %SPLUNK_HOME%\etc\system\local\inputs.conf do i make the changes to ? the app that i use to deploy the inputs.conf to the UF's. The heavy forwarders inputs or the indexers input. Thats the question that is boggling me. I tried sending out this change via the DMC on to the UF's but it does not have any effect it seems.
My inputs.conf file is as below
[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = winevents
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 1
start_from = oldest
index = winevents
blacklist = 5156|5157|5158
[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = winevents
[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = winevents
[perfmon://Windows__Processor]
counters = *
instances = _Total
interval = 10
object = Processor
index = winevents
[perfmon://Windows__Memory]
counters = Available Bytes
interval = 10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ranjitbrhm1, the heavy forwarder should definitely be able to filter, but UF should be able to filter events upfront. If possible test with a standalone machine and Test Splunk server.
You can look into sending unwanted data to nullQueue before indexing, however, I strongly feel this should work. Let me convert my answer to comment for community Splunk experts to weigh in their opinion.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As always your help and suggestions are most appreciated. I will spin up a splunk server and a couple of clients and test this out. I myself have a couple of concepts that i need testing as well.
Thanks
/R
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
