I have a UF running on a linux device, with a TCP input. The input is coming from a Graylog forwarder and all the windows events coming with a 'winlogbeat_ preface.
I want to black list windows events coming by event code and normally I use a blacklist -= EventCode="xxxx" Message=....
however the eventcode comes in as winlogbeat_event_id,
I did try this:
blacklist1= winlogbeat_event_id = "4662"
This doesn't appear to work.
Can someone help with this?
Is there any log that shows events being whitelisted or blacklisted?
Thank You!
TCP inputs cannot be filtered with blacklists like that. That only works for WinEventLog inputs.
Perhaps that Graylog forwarder you use can perform some filtering? Otherwise you would have to look at dropping the unwanted events at your Indexers, by routing them to the nullqueue: http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Discard_specific_e...
TCP inputs cannot be filtered with blacklists like that. That only works for WinEventLog inputs.
Perhaps that Graylog forwarder you use can perform some filtering? Otherwise you would have to look at dropping the unwanted events at your Indexers, by routing them to the nullqueue: http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Discard_specific_e...
Thank You, they can whitelist but not black list or that is what they told us.
Thank You!
whitelist = foo
also doesn't work on a UF TCP input.