I need to filter logon event (eventcode = 4624) only for user with name SA-*
New Logon:
Security ID: TEST\SA-user01
Account Name: SA-User01
Account Domain: TEST
Can i configure inputs.conf to whitelist only this kind of event?
Thanks
only with this string work fine:
whitelist = Message="\\[sS][aA]\-" EventCode="4624"
in logon event "User" is N/A
Thanks
only with this string work fine:
whitelist = Message="\\[sS][aA]\-" EventCode="4624"
in logon event "User" is N/A
Thanks
see the documentation (need at least splunk 6.1 )
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/MonitorWindowsdata > Create advanced filters with whitelist and blacklist
try
whitelist= User=SA-* EventCode=4624