Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I filter Event Log with blacklists in inputs.conf

alexrivero
New Member
‎07-25-2019 12:25 PM

I'm trying to create a blacklist for several Event IDs to exclude any events with multiple user accounts. For example, I'd like to filter EventID 4688 for any logs where the Account Name is Blank, any service account that begins with svc, any computer account that ends with $, etc.

I've tried the following, but I don't think either syntax is correct and i'm not sure how to include wildcards.

blacklist1=EventCode="4624,4625,4688" Message="Account Name:\s+$s+"
blacklist2=EventCode=%^(4624|4625|4688)$% User=%svc% %$% % %

NOTE: The 2 blacklist lines are the formats I've tried. I did not have both lines running at the same time.

What i'm looking for is essentially something like this:

Blacklist = EventID1, 2, 3 Account=*$, svc*, *(blank)*

I've tried using regex101 and regexer, but I feel i'm just not grasping the syntax of RegEx in general. Any help would be appreciated!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-25-2019 01:59 PM

Understanding regular expressions (even a little) is critical to getting blacklists to work.

There is one wildcard character in regexes: .. It (and just about anything else) can be following by a quantifier that says how many of that character are allowed. * means any number, + means at least one, and ? means one or none. There are other quantifiers, but that's a more advanced topic.

There are some special characters to know about. $ means end-of-line, ^ means beginning-of-line, | separates optional matches, and '\' cancels a special character. Anything that is not a special character or quantifier is literal text.

Armed with that information, your example blacklist1 would match only an event with an EventCode field that contains 3 numbers (not gonna happen). Blacklist2 is not valid because it contains two strings without matching keywords.

Try these:
blacklist1 = EventCode="4624|4625|4688" Message="Account Name:\s+\$.*"
blacklist2 = EventCode="4624|4625|4688" User=".*\$|svc.*|.*\s+.*"

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

alexrivero
New Member
‎07-25-2019 04:31 PM

So i've tried both of your options, but I'm still getting events coming in with Account Names/User names listed in the blacklist (computer$, svc, blank, etc)

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-26-2019 05:48 AM

Closely examine the Message and User fields of the unwanted events. Make sure the contents match the regular expressions in your blacklists. If they don't, adjust the regexes as needed.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...