I have the following stanza in the universal forwarder Splunk 6.3:
[WinEventLog://Security]
disabled = 0
blacklist1=EventCode="4656"
blacklist2=EventCode="5156"
blacklist3=EventCode="4658"
blacklist4=EventCode="5145"
blacklist5=EventCode="5158"
Blacklist6=EventCode="4663" Message="ZettaMirror_Sync"
The EventCode only blacklists function as expected, however, adding the Message filter does not. What you see here is the latest of many attempts at regEx's paired down to nothing, tried `.*ZettaMirror.*`, tried using `Process_Name=".*Zetta.*"` instead of Message, etc. The actual log event I want to get rid of is this one:
11/25/2015 04:20:34 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4663
EventType=0
Type=Information
ComputerName=APPSERVER9.summitpartnersllc.int
TaskCategory=File System
OpCode=Info
RecordNumber=517360030
Keywords=Audit Success
Message=An attempt was made to access an object.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: HOSTNAMEREDACTED$
Account Domain: REDACTEDDOMAIN
Logon ID: 0x3e7
Object:
Object Server: Security
Object Type: File
Object Name: \Device\HarddiskVolumeShadowCopy59\redactedDirectory\somepath.pdf
Handle ID: 0x4a8
Process Information:
Process ID: 0xcec
Process Name: C:\Program Files\Zetta\ZettaMirror\ZettaMirror_Sync.exe
Access Request Information:
Accesses: ReadData (or ListDirectory)
Access Mask: 0x1
↧