Spread our blog

Hi Guys !!

We already have a blog regarding how to index windows event log from the local windows Splunk instance. Click on the below link and see the blog,

Windows Event Logs From Local Windows Machine To Splunk

Event Log filtering using blacklist or whitelist has some formats.

Please, check the following point.

Method 1: (Unnumbered Format)

whitelist = <list of eventIDs> | key=regex [key=regex]

blacklist = <list of eventIDs> | key=regex [key=regex]

Method 2: (Numbered Format)

whitelist1 = <list of eventIDs> | key=regex [key=regex]

whitelist2 = <list of eventIDs> | key=regex [key=regex]

whitelist3 = <list of eventIDs> | key=regex [key=regex]

whitelist4 = <list of eventIDs> | key=regex [key=regex]

whitelist5 = <list of eventIDs> | key=regex [key=regex]

whitelist6 = <list of eventIDs> | key=regex [key=regex]

whitelist7 = <list of eventIDs> | key=regex [key=regex]

whitelist8 = <list of eventIDs> | key=regex [key=regex]

whitelist9 = <list of eventIDs> | key=regex [key=regex]

blacklist1 = <list of eventIDs> | key=regex [key=regex]

blacklist2 = <list of eventIDs> | key=regex [key=regex]

blacklist3 = <list of eventIDs> | key=regex [key=regex]

blacklist4 = <list of eventIDs> | key=regex [key=regex]

blacklist5 = <list of eventIDs> | key=regex [key=regex]

blacklist6 = <list of eventIDs> | key=regex [key=regex]

blacklist7 = <list of eventIDs> | key=regex [key=regex]

blacklist8 = <list of eventIDs> | key=regex [key=regex]

blacklist9 = <list of eventIDs> | key=regex [key=regex]

Both numbered and unnumbered method supports two formats:

  • A comma-separated list of event IDs.
  • A list of key=regular expression pairs.
  • Numbered Format support 1 to 9.

 NOTE: Numbered and Unnumbered format both can’t be combined together. Only one method can be used.

Numbered Format:

blacklist1 = EventCode=”5061″

blacklist2 = EventCode=”5058″

OR

Unnumbered Format:

blacklist = 5061,5058

Regex Equivalent of this is, blacklist = EventCode=%^(5061|5058)$%

NOTE: The same format can be used for whitelist as well and you can use ranges of event IDs also, like (1-200).

You can also know about :  HEC (Http Event Collector) with Syslog-NG :  Aggregated  and Scalable Data Collection Method in Splunk

So, let’s see the example.

Blacklist Example:

Step 1:

For, this we will use Application of windows event log, which is enabled from our local machine, so the configuration looks like below under $SPLUNK_HOME/etc/system/local in inputs.conf,

[WinEventLog://Application]
index = wineventlog
sourcetype = WinEventLog: Application
disabled = 0

Step 2:

Now, we will search the data for wineventlog index and WinEventLog:Application,

Explanation:

Here, we have searched with the query, 

index=wineventlog sourcetype="WinEventLog:Application" EventCode=1530 OR EventCode=5973

We have searched for the specific eventcodes 1530 and 5937 and as you can see that we are getting events.

Now, we will blacklist these two eventcodes and check.

So, check the below steps

Step 3:

Now, we made some modification in the same inputs.conf as below,

[WinEventLog://Application]
index = wineventlog
sourcetype = WinEventLog: Application
disabled = 0
blacklist = EventCode=%^(1530|5973)$%

Explanation:

blacklist = EventCode=%^(1530|5973)$, this will blacklist the 1530 and 5973 eventcodes.

Once the changes are made, restrart splunk using ./splunk restart under $SPLUNK_HOME/bin/ directory.

Step 4:

Explanation:

As, you can see when we have mentioned the eventcodes 1530 and 5973, we are not getting any events, which we have blacklisted.

Whitelist Example:

Step 1:

For, this we will use Security windows event logs, which is enabled from our local machine, so the configuration looks like below under $SPLUNK_HOME/etc/system/local in inputs.conf,

[WinEventLog://Security]
index = wineventlog
sourcetype = WinEventLog:Security
disabled = 0

Step 2:

Now, we will search the data for wineventlog index and WinEventLog:Security,

Explanation:

Here, we have searched with the query, 

index=wineventlog sourcetype="WinEventLog:Security" 
| table EventCode | dedup EventCode

As, you can see in the above image, we can see many EventCodes. Now, we will whitelist only this two eventcodes 4624 and 4672, and will check.

You can also know about :  Could not send data to output queue (parsingQueue), retrying... ( Part 2 )

So, check the below steps.

Step 3:

Now, we made some modification in the same inputs.conf as below,

[WinEventLog://Security]
index = wineventlog
sourcetype = WinEventLog:Security
disabled = 0
whitelist = EventCode=%^(4624|4672)$%

Explanation:

whitelist = EventCode=%^(4624|4672)$, this will whitelist only the 4624and 4672 eventcodes.

Once the changes are made, restrart splunk using ./splunk restart under $SPLUNK_HOME/bin/ directory.

Step 4:

Explanation:

As, you can see when we listing the event codes, we are only getting the eventcodes 4624 and 4672, which we have whitelisted.

Hope you have enjoyed this blog, we will come back with new topics of Splunk. Until then goodbye and stay safe and strong.

Happy Splunking !!

What’s your Reaction?
+1
+1
+1
+1
+1
1
+1
+1

Spread our blog

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here