I am trying to blacklist Windows Security event ID 5156 with source port number 8, but does not seem working. Could anyone help me with this? Thank you in advance.
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode="5156" Source_Port=8
index = wineventlog
renderXml=false
Source_port is not a valid key to use in blacklist
Taken from the manual:
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf?utm_source=answers&utm_medium=i...
Valid keys for the key=regex format:
I'm struggling with a similar issue too, for me it seems to just be flatout blacklisting every 5156 EventCode at this point despite my 2nd regex criteria. I've tried both ways below.
blacklist = EventCode="5156" Destination_Address="172\.(20|21)\.3\.(57|58|59|9)"
blacklist = EventCode="5156" Message="Destination\ Address\:\ 172\.(20|21)\.3\.(57|58|59|9)"
I think my issue is that my UF's are still prior 6.1 😐 :'(
http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/
did you try escaping the double quotes ?
I tried by doing:
blacklist3 = EventCode=5156 Source_Port=8
blacklist3 = EventCode="5156 Source_Port=8"
blacklist3 = EventCode=""5156" Source_Port="8""
but none worked...
in Splunk you usually escape characters with \, so if you want to escape a double quote you would type \"
sorry, I just realised that this website escaped my escaping character.
I wanted to say that in Splunk you usually escape characters with a backslash before the character EventCode=\"4662\"