Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Security Event whitelist regex filter

oneshow
Engager
‎08-07-2014 08:07 AM

I need to filter logon event (eventcode = 4624) only for user with name SA-*

New Logon:
Security ID: TEST\SA-user01
Account Name: SA-User01
Account Domain: TEST

Can i configure inputs.conf to whitelist only this kind of event?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

oneshow
Engager
‎08-07-2014 09:03 AM

only with this string work fine:

whitelist = Message="\\[sS][aA]\-" EventCode="4624"

in logon event "User" is N/A

Thanks

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

oneshow
Engager
‎08-07-2014 09:03 AM

only with this string work fine:

whitelist = Message="\\[sS][aA]\-" EventCode="4624"

in logon event "User" is N/A

Thanks

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎08-07-2014 08:12 AM

see the documentation (need at least splunk 6.1 )
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/MonitorWindowsdata > Create advanced filters with whitelist and blacklist

try
whitelist= User=SA-* EventCode=4624

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...