Why won't Windows filter work?

Charlie5 · ‎06-13-2023

Hello Splunk Community,

I am having some difficulty getting Windows event log filters to work properly. Whatever I have specified in the inputs.conf of Splunk_TA_windows is being ignored, I can tell because there are significant volumes of events present that are not in the whitelist stanzas. I have even tried blocklisting very large numbers of these unwanted event codes explicitly (in blacklist1) without success.

I can see the app successfully deploy to my clients in internal logs when I push changes to the server class or add-on, and those that I have verified have these exact stanza settings on them are still sending event logs that are not on the whitelist or are explicitly blocklisted.

I am using 8.6.0 of the Windows add-on and UFs on 8x and 9x versions (hundreds). To make matters worse, ingest actions are also not working properly, I have tried adding what is effectively the same regex as an the ingest action (blacklist1 on Splunk Cloud), but am still seeing these unwanted codes.

Is anyone else having this problem, or am I doing something wrong? Also, I have the format as Xml (as I understand it XML logs are typically smaller in size then their non-XML counterparts. Does this mean in the advanced format filters I need to use "$XmlRegex=" or can I still use the EventCode=" regex?

[WinEventLog://Security]
renderXml = true
whitelist1=EventCode="(4740|644|104|1100|4624|528|4625|529|4776|680|681|4720|624|4732|636|4728|632|4756|660|4771|675|4730|634|4734|638|4758|662|1102|517|4722|626|4726|630|4768|672|676|4769|673|4765|4766|5145)"
blacklist1=$XmlRegex="EventID>(53506|53504|40970|40962|40961|36928|... (this blocklist goes on and on)

Charlie5 · ‎06-14-2023

@caiosalonso
I've pushed the stanzas as you recommended but still not luck, I'm still getting event codes that I explicitly have blocklisted. I am going to try another ingest action that is limited to less event ids, but I still can't get it to pull a sample from the sourcetype.

Do you know if it needs to pull a sample for the ingest action to work once implemented? Or is there something, like a component in internal logs, that tracks the ingest action actually working?

Charlie5 · ‎06-14-2023

Thank you for the suggestion, I will try switching to this format and let you know how it goes.

caiosalonso · ‎06-13-2023

Hi,

I have searched some documentation related to filtering Windows data, and I would reccomend you using the format with "$XmlRegex". Have you already tried using both whitelist and blacklist with the "$XmlRegex" option?

I guess your stanza should be something similar to:

[WinEventLog://Security]
renderXml = true
whitelist1 = $XmlRegex="<EventID>(4740|644|104|1100|4624|528|4625|529|4776|680|681|4720|624|4732|636|4728|632|4756|660|4771|675|4730|634|4734|638|4758|662|1102|517|4722|626|4726|630|4768|672|676|4769|673|4765|4766|5145)<\/EventID>"
blacklist1 = $XmlRegex="<EventID>(53506|53504|40970|40962|40961|36928|...)<\/EventID>"

Charlie5 · ‎06-20-2023

I've tried both, and rendering in non-XML format and filtering using the non-XML format for blacklists/whitelists, still no luck.

Why won't Windows filter work?

other

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?