Hello, friends!
We have:
Splunk server (indexer) and computer with WinXP and UniversalForwarder.
The task was to remove some windows security events from Splunk indexer.
It was solved by using the parameter "blacklist" in inputs.conf on computer with WinXP.
inputs.conf
[WinEventLog://Security]
disabled = false
blacklist = 538,540
And all that is needed work, the data came from the EventLog except the two specified ID (538 and 540).
The problem started when I decided to add a third ID (576).
I change the inputs.conf:
[WinEventLog://Security]
disabled = false
blacklist = 538,540,576
Save, restart splunk service.
And any event from the EventLog from this machine stopped coming to indexer.
If i change inputs.conf to original appearance (when two of Event) - all working again as necessary.
What can be caused by this problem?
Thx!
The blacklist parameter is a regular expression:
This worked in my test:
blacklist = 538|540|576
Here is the documentation for the parameter:
http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf
The blacklist parameter is a regular expression:
This worked in my test:
blacklist = 538|540|576
Here is the documentation for the parameter:
http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf
Thx. Сheck shortly.
The last time was not the time to do it
have u tried blacklist =(576|538|540)
Of course I checked a security log for the presence of this ID's. In security log entry is present, they are not present in splunk.
Have you checked the event log to see if there are events not with those ID's? just want to rule out the obvious etc...
blacklist = 576,538,540 and blacklist = 576,538 - the same result 😞
As an option to make the whitelist with all EventID Except for these ID, but will try it later. I think this can not be caused by the free license.
Just to be sure, can you try changing the order of event ids in blacklist?
Yes, other data from this machine come correct. Disappears only EventLog.
Do you get other events from the forwarder? Can you see any errors or warnings from the forwarder when searching in index=_internal
?