How to edit my inputs.conf to whitelist selected e...

kiran331 · ‎10-27-2016

Hello

I have to get only the selected events from Windows Security logs, so I have added the whitelist in inputs.conf stanza, but it's not working. Let me know what to be changed or added to inputs.conf to make it work.

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist1= EventCode="4723|4724|4727|4728|4731|4732|4735|4737|4738|4739|4740 |4754|4755|4756|4764|4767|4777|4780|4816|4864|4865|4866|4867|4882|4885|4890|489 2"
whitelist2 = EventCode="4896|4906|4907|4908|4912|4960|4961|4963|4965|4962|4976 |4977|4978|4983|4984|5027|5028|5029|5030|5035|5037|5038|5122|5123|5124|5376|537 7"
whitelist3 = EventCode="5453|5480|5483|5484|5485|6145|6273|6274|6275|6277|6278 |6279|6280|24586|24592|24593|24594"

lquinn · ‎10-27-2016

Try just listing the event codes in your whitelist settings like this:

 whitelist1 = 4723,4724,4727,4728,4731,4732,4735,4737,4738,4739,4740,4754,4755,4756,4764,4767,4777,4780,4816,4864,4865,4866,4867,4882,4885,4890,4892
whitelist2 = 4896,4906,4907,4908,4912,4960,4961,4963,4965,4962,4976,4977,4978,4983,4984,5027,5028,5029,5030,5035,5037,5038,5122,5123,5124,5376,5377
whitelist3 = 5453,5480,5483,5484,5485,6145,6273,6274,6275,6277,6278,6279,6280,24586,24592,24593,24594

kiran331 · ‎10-28-2016

Hi lquinn, I tried this, its not working. Its sending logs with other event Codes too.

How to edit my inputs.conf to whitelist selected events from Windows Security logs?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!