Can I forward only success logs of security log fo...

05500 · ‎05-21-2015

Once we forward security logs for windows event log using Universal forwarder from each servers to splunk server,
Can I forward only success logs?

miteshvohra · ‎05-25-2015

You can use Whitelist stanza in your inputs.conf. You can add the keywords/event-codes that are part of the events you wish to capture.

Here is the doc link for detailed explanation.

Mitesh.

joshd · ‎05-21-2015

What you want to look at is using the whitelist and blacklist features within inputs.conf on the universal forwarder to only capture the specific Windows EventCode to meet your needs.

Details on the inputs configuration here: http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata#Use_inputs.conf_to_config...

Splunk blog post with real examples here: http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

05500 · ‎05-24-2015

Can I control which part of file for forwarding only success security log of event viewer?
Can I setup on source server with installed universal forwarder or destination server (Splunk server)?
I want to know detail settings.

Can I forward only success logs of security log for windows using universal forwarder?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor