Good Morning,
I've followed guides/forums and steps on this site but still cant get my blacklists to work at all. The situation is that I've set up Splunk Alert Monitor dashboard and one of the alerts is new process starts, the splunk forwarder is causing hundreds of alerts on this so I want to blacklist it. Firstly could someone please confirm which inputs.conf to edit as there are multiple, secondly is this order correct?
[WinEventLog://Security]
disabled=0
current_only=1
blacklist = 4689,5158
i.e. is the blacklist option in the right place? There are a few other lines on the inputs.conf I've found, like oldest first. Finally what string will actually work and stop me seeing all processes started by Splunk?
Thank you in advance.
Order of options within a single stanza is usually applied top to bottom (take into account https://docs.splunk.com/Documentation/Splunk/8.2.4/Admin/Wheretofindtheconfigurationfiles conf files precedence).
Keeping that in mind, you should never overwrite any setting in default/*.conf files.
Stick to local/*.conf
In case of windows inputs on a forwarder it's probably most convenient to edit etc/apps/TA_for_windows_dir/local/inputs.conf
So your entry seems relatively OK. See https://docs.splunk.com/Documentation/Splunk/8.2.4/Admin/Inputsconf#Event_Log_filtering
Thanks for the reply.
I've applied a blacklist option, restarted SPLUNK then ran a search for index=wineventlog EventCode=4688 and it still shows splunk process starts, I've even changed the blacklist to just eventcode =4688 and it still shows these events in the results. Am I missing something? The only inputs file I can find under APPs, Local is under launcher. Not sure if this is right. Apologies I'm new to SPLUNK.
Thanks.
In the excerpt you pasted here, you blacklisted event 4689, not 4688.
Apologies, that excerpt wasn't actually what I've been using, I just put that as an example of the layout I was going for.
Well, theoretically, it should work. You can try the regex form instead of the eventid list but it should work either way.
Are you only collecting local events or maybe some forwarded from "outside" by WEF also?