Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Blacklisting Splunk Forwarder new process starts

ned692000
Engager
‎02-04-2022 01:03 AM

Good Morning,

I've followed guides/forums and steps on this site but still cant get my blacklists to work at all. The situation is that I've set up Splunk Alert Monitor dashboard and one of the alerts is new process starts, the splunk forwarder is causing hundreds of alerts on this so I want to blacklist it. Firstly could someone please confirm which inputs.conf to edit as there are multiple, secondly is this order correct? 

[WinEventLog://Security]
disabled=0
current_only=1
blacklist = 4689,5158 

i.e. is the blacklist option in the right place? There are a few other lines on the inputs.conf I've found, like oldest first. Finally what string will actually work and stop me seeing all processes started by Splunk?

 

Thank you  in advance. 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-04-2022 01:32 AM

Order of options within a single stanza is usually applied top to bottom (take into account https://docs.splunk.com/Documentation/Splunk/8.2.4/Admin/Wheretofindtheconfigurationfiles conf files precedence).

Keeping that in mind, you should never overwrite any setting in default/*.conf files.

Stick to local/*.conf

In case of windows inputs on a forwarder it's probably most convenient to edit etc/apps/TA_for_windows_dir/local/inputs.conf

So your entry seems relatively OK. See https://docs.splunk.com/Documentation/Splunk/8.2.4/Admin/Inputsconf#Event_Log_filtering

 

0 Karma
Reply

ned692000
Engager
‎02-04-2022 02:29 AM

Thanks for the reply.

I've applied a blacklist option, restarted SPLUNK then ran a search for index=wineventlog EventCode=4688 and it still shows splunk process starts, I've even changed the blacklist to just eventcode =4688 and it still shows these events in the results. Am I missing something? The only inputs file I can find under APPs, Local is under launcher. Not sure if this is right. Apologies I'm new to SPLUNK.

 

Thanks.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-04-2022 02:59 AM

In the excerpt you pasted here, you blacklisted event 4689, not 4688.

0 Karma
Reply

ned692000
Engager
‎02-04-2022 03:25 AM

Apologies, that excerpt wasn't actually what I've been using, I just put that as an example of the layout I was going for.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-04-2022 04:33 AM

Well, theoretically, it should work. You can try the regex form instead of the eventid list but it should work either way.

Are you only collecting local events or maybe some forwarded from "outside" by WEF also?

0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...