- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Is it possible to add an item to the whitelist in ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to add an item to the whitelist in just one specific client in a server class?
I have a server class (wineventlog) that has a whitelist in the inputs.conf. It looks like this:
[WinEventLog://Security]
disabled = 0
index = default
whitelist=4618,4621,4624,4625,4634,4649,4675,4692,4693,4706,4719,4720,4722-4735,4737,4738,4740,4744-4762,4765-4766,4794,4897,4964,1102,4648,5038,6281
This applies to all 14 clients in this server class. However, I want to add "2000" to the whitelist, but I need it in only one client out of the 14. Is this possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using advanced filtering. Create a second whitelist that filters based on EventCode and ComputerName. Set ComputerName to the name of the client that you want to log the event.
[WinEventLog://Security]
disabled = 0
index = default
whitelist=4618,4621,4624,4625,4634,4649,4675,4692,4693,4706,4719,4720,4722-4735,4737,4738,4740,4744-4762,4765-4766,4794,4897,4964,1102,4648,5038,6281
whitelist1=EventCode="2000" ComputerName="insert name of client here"
Or you could create a new app that contains whitelist1 for event code 2000, and only apply it to the single client.
[WinEventLog://Security]
whitelist1=EventCode="2000"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can't think of any native method, but you can try these work arounds
- Create two copy of the app, one with current whitelist and one with additional 2000 to whitelist. Deploy current one to 13 servers and new (with additional whitelist) to that 1 server [probably easy]
- Add 2000 to whitelist in the current app. On indexer side, create a transform to route the event to nullQueue if the host is not that one client (more complex)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would also do option 1.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd vote for option 1 - although if you don't already know about the nullQueue then do option 2 as it will be a useful exercise
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not that I can think of.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
