Hi,
I am wanting to release locked event to other users just for a user.
My inputs.conf:
[default]
host = xxxxx
[WinEventLog://Security]
disabled = 0
current_only = 1
checkpointInterval = 5
whitelist1 = Account_Name="xxxxx" EventCode="xxxxx"
blacklist2 = 4771, 4776, 4624, 4634, 4769, 4768, 4625, 4672, 4662
index = xxxx_index
Regards
Hi lgastaldello,
as you can see at https://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/Inputsconf in whitelist you have to put a regular expression to search, are you sure that in your events there is exactly what you inserted in whitelist Account_Name="xxxxx" EventCode="xxxxx"
Exactly means that every word is after the previous and between each of them there is only the number of spaces you used.
Anyway, you have to use a regular expression, so charecters as =
or "
must be escaped \\
.
Probably you have to use something like this
whitelist = Account_Name\=\"xxxxx\".*EventCode\=\"xxxxx\"
Bye.
Giuseppe