I have see other example, but non using XML for the whitelist. I only have a 2GB license and I have to go very slow at what I collect and add in event ID until I reach close to the max. I look at my index and I see a bunch of other event ids, what did I do wrong?
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist= $XmlRegex= EventCode="106, 4624, 4625"
renderXml = true
index = xmlwineventlog
@richgalloway your whitelist = 106,4624,4625 will not work as long renderXml = true according to the documentation.
With renderXml = true you need to use: $XmlRegex
Here are the docs:
https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_blacklists_a...
Try this (assuming the events have the strings Eventcode=106
, Eventcode=4624
, andEventcode=4625
.
whitelist= $XmlRegex= EventCode=(106|4624|4625)
Not sure, but I think whitelist = 106,4624,4625
should work.