I am using UF 6.6.3.0 on my domain controller and following is my inputs.conf. The whitelisting part is not working I am seeing all event codes.
[WinEventLog://Security]
disabled = 0
start_from = newest
current_only = 1
evt_resolve_ad_obj = 0
checkpointInterval = 5
whitelist = 4723,4724,4740,4782
index = wineventlog
renderXml=false
I figured this out here is my new inputs.conf.
IF YOU DONT TYPE blacklist it will not understand whitelist
[WinEventLog://Security]
disabled = 0
start_from = newest
current_only = 1
evt_resolve_ad_obj = 0
checkpointInterval = 5
whitelist = 4723,4724,4740,4782
blacklist = 1100-8191
index = wineventlog
renderXml=false
I figured this out here is my new inputs.conf.
IF YOU DONT TYPE blacklist it will not understand whitelist
[WinEventLog://Security]
disabled = 0
start_from = newest
current_only = 1
evt_resolve_ad_obj = 0
checkpointInterval = 5
whitelist = 4723,4724,4740,4782
blacklist = 1100-8191
index = wineventlog
renderXml=false
Hi hrithiktej,
in whitelist you have to insert regexes (see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf ).
So in your case, if 4723,4724,4740,4782 are only numbers, try
whitelist = 4723|4724|4740|4782
if they are EventCodes, try
whitelist = EventCode\=4723|EventCode\=4724|EventCode\=4740|EventCode\=4782
(check if in your events EvenCode is written as EventCode or EventID)
Bye.
Giuseppe
thanks for your reply .please check my resolution for this issue below