Greetings--
I am trying to set-up an WinEventLog inputs.conf whitelist for LAPS (EventCode=4662).
These events have a similar structure in so far as:
Object:
Object Server: DS
Object Type: computer
Object Name: CN=hostname
Which looks something like...
[WinEventLog://Security]
disabled = 0
index = wineventlog
checkpointInterval = 5
blacklist1 = EventCode="4660" Message="Process Name:\s+(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|optimizer|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi))\.exe)"
blacklist2 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode="4663" Message="Process Name:\s+(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|optimizer|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi))\.exe)"
blacklist4 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist5 = EventCode="4688" Message="New Process Name: (?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|optimizer|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi))\.exe)"
whitelist = EventCode="4662" Message\="Object Type:(.*)computer([\s\S]*)Object Name:(.*)CN="
This seems to block all EventCode=4662
I have tried to do something to the effect of:
EventCode=%^4662$%
An interesting turn of events..
It looks like the events ARE being indexed..
but instead of Object Type: computer, Object Name: hostname, they are coming in as:
Object:
Object Server: DS
Object Type: %{bf967a86-0de6-11d0-a285-00aa003049e2}
Object Name: %{fbdc83b5-af6f-4dd2-8256-458e8e1348e2}
Handle ID: 0x0
Not sure why...
In the local event viewer, it is resolving the GUID