Thank you in advance. Looking for some assistance with inputs.conf on Windows Systems. First, we modified inputs.conf located:
/opt/apps/splunk/etc/deployment-apps/Splunk_TA_windows/local/inputs.conf
1) Do we need to do anything for our splunk clients to pick up changes?
2) In terms of performance, and syntax does anyone have any concerns or recommendations to improve the performance on the 6 blacklists below? We believe they work but are unsure on performance.
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
renderXml = false
index = windowsevents
blacklist1 = EventCode="4662" Message="(?i)Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="(?i)Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = 5154,4663,4689,5152,4627
blacklist4 = EventCode="4688" Message="(?im:New Process Name:).*(?i:SplunkUniversalForwarder\\bin\\)(?i:splunk\.exe|btool\.exe)"
blacklist5 = EventCode="4688" ComputerName="verybadscripts\.myco\.com" Message="(?im:New Process Name:.*(\\grep\.exe|\\awk\.exe))"
Blacklist6 = EventCode="(4624|4634|4672)" ComputerName="(?i:(.+noisycomp|.+loudercomp).+\.myco\.com)" Message="(?im:.*Account Name:\s+.*(noisycomp|loudercomp).*\$)"
As an example computers have names like *abloudercomp01* and *bcdloudercompx02* and so the account names would be *abloudercomp01$* and *bcdloudercompx02$* respectfully... I don't want to presume two chars followed by two numbers but can presume <=5 chars on either side of the loudercomp string(s) if it would make a large difference in performance.
For some reason, we aren't currently seeing any 4688 events at all (from any comp) after the BL 4 and 5 were added early today but it could just be that there isn't a lot of volume on the weekend.
↧