Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Inputs.conf Blacklist - Different Messages on the same line

icewolf69
Loves-to-Learn Everything
‎01-12-2022 09:20 AM

Hi All, 

 

I'm tweaking my inputs.conf file to exclude some events for the Windows Security log.

I'm filtering EventCode 4688, by message.  For compatibility reasons, I want to use the same inputs.conf file for all windows machines.  But Windows 11 has tweaked a couple event logs, and one of those is 4688.

For Windows 10 and below the following blacklist is working as expected:

blacklist1 = EventCode="4688" Message="Token Elevation Type:(?!\s*%%1937)"

This filters everything except %%1937.

But this won't work for Windows 11, because they have changed the Token Elevation Type to "TokenElevationTypeFull" for the previously "%%1937".  Therefore if a windows10 inputs.conf file ends up on a windows 11, it blacklists all the 4688 logs.

So simply, I would like to add the 2 lines together on a single line, so that if either TokenElevationType is found, it goes through.  But the "|" operator doesn't seem to be working, or I'm not doing the correct syntax.

blacklist1 = EventCode="4688" Message="Token Elevation Type:(?!\s*%%1937)"
blacklist1 = EventCode="4688" Message="Token Elevation Type:(?!\s*TokenElevationTypeFull)"

 

Can anyone help marry these 2 checks with an OR operator?

 

Thank you

Labels (2)
Labels
0 Karma
Reply

icewolf69
Loves-to-Learn Everything
‎01-12-2022 11:02 AM

I think i've figured it out, just went a different direction with deny/allow syntax.  I'm not sure if this is more CPU intensive than the first method since it would be checking 4 conditions instead of 2...

blacklist1 = EventCode="4688" Message="%%1936|%%1938|TokenElevationTypeDefault|TokenElevationTypeLimited"

 

0 Karma
Reply
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...