I have this in my windows DC server with Universal Forwarder v 6.1.1.
..\Splunk_TA_Windows\local\inputs.conf file:
[WinEventLog://Security]
disabled = 0
current_only=1
blacklist1=EventCode=4662
blacklist2=EventCode=566
Yet event 4662 gets indexed sometimes. Any idea? The event 4662 is generated around 1000+ per second. Is the forwarder not keeping up with this rate of events?
The issue here is that the blacklist requires delimiters around the regex in order for it to work. Try changing blacklist1=EventCode="4662" , for more detail please see the following post
http://answers.splunk.com/answers/148883/what-is-wrong-with-my-inputsconf-eventcode-blacklist