Hello there,
I'm currently trying to whilelist incoming Windows events by EventCode, but it doesn't actually filter the events. I've searched through various documentations, but can't seem to find the right settings.
Here's what I did:
in Splunk\etc\system\local\inputs.conf:
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
# only index events with these event IDs. (I also tried whitelist = 4663 )
whitelist1 = EventCode=4663
# exclude these event IDs from being indexed.
# blacklist =
I'm still a bit confused about which inputs.conf is for what (if anyone has a good documentation for that...)
Did I chose the right one? I tried restarting Splunk, but it's still indexing the wrong events.
What am I missing?
Try the following:
whitelist=EventCode="^4663$"
hi niketnilay,
this doesn't seem to work for me.
Currently are you seeing all event codes from Security and not just 4663?
When you disable the WinEventLog://Security does it stop sending the events?
[WinEventLog://Security]
disabled = 1
Hi elindemann,
the best documentation you can find is at https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf.
If your filter doesn't run verify the regex you used in your whitelist.
Bye.
Giuseppe
Hello Guiseppe,
thanks for the reply.
From the documentation:
# Event Log filtering
#
# Filtering at the input layer is desirable to reduce the total
# processing load in network transfer and computation on the Splunk
# nodes that acquire and processing Event Log data.
whitelist = <list of eventIDs> | key=regex [key=regex]
blacklist = <list of eventIDs> | key=regex [key=regex]
[...]
* These settings are optional.
* Both numbered and unnumbered whitelists and blacklists support two formats:
* A comma-separated list of event IDs.
* A list of key=regular expression pairs.
* You cannot combine these formats. You can use either format on a specific
line.
so I adjusted my inputs.conf to
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
# only index events with these event IDs.
# whitelist = EventCode="4663"
whitelist = 4663
# exclude these event IDs from being indexed.
#blacklist = 2001-3000
but still with the same result. It can't be the regex because I actually don't want to mess with it when I can just take the super easy approach.
Hi elindemann,
I don't think that it's correct whitelist = 4663
but it should be better whitelist = EventCode=4663
or whitelist = EventCode\=4663
.
In https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf there is an example whitelist = EventCode=%^200$%
I usually don't filter events in Universal Forwarder but only on the Indexers.
Hello Guiseppe,
I tried whitelist = EventCode\=4663
and whitelist = EventCode=%^4663$%
but both didn't work.
My problem is that I want to get that one EventCode, but it's generated with a lot of other noise around it that I don't want indexed, mostly because it would hit the liscense pretty hard without any good reason.
Do you know any other way that would be possible?
Hi elindemann,
It's possible and I did it, but I used a different approach: I filtered events on the indexers, I didn't use whitelist.
I know that this solves only the Splunk license problem and don't eliminate network traffic but gives me more control on the filter.
bye.
Giuseppe
Hi Guiseppe,
can you tell me how you did it?
I'm not that concerned about network traffic.
Just to be clear, I'm not using forwarders or any fancy setups. All I have is the Splunk server on one machine and the file server on another. The Splunk server is getting the events by itself and I want not all these events filtered.
maybe my first approach wasn't the right one?
I think that you should use a Universal Forwarder on the file server, in this way file transfer between file server and Splunk server is optimized in very many ways (compression, cache, bandwidth, etc...
Every way, to filter events (see http://docs.splunk.com/Documentation/Splunk/6.5.1/Forwarding/Routeandfilterdatad) you have to edit:
props.conf
[your_sourcetype]
TRANSFORMS-null= setnull
transforms.conf
[setnull]
REGEX = EventCode\=4663
DEST_KEY = queue
FORMAT = nullQueue
and restart Splunk
Bye.
Giuseppe