Skip to content

Instantly share code, notes, and snippets.

@wohckcin
Forked from automine/inputs.conf
Created June 20, 2018 06:32
Show Gist options
  • Save wohckcin/ce59900f793640bf7e9b1dec8c85f038 to your computer and use it in GitHub Desktop.
Save wohckcin/ce59900f793640bf7e9b1dec8c85f038 to your computer and use it in GitHub Desktop.
Nice windows event blacklisting
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi))\.exe)"
blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi))\.exe)"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment