Hello,
I have Heavy forwarders windows in 6.2 version who's collecting the event from many universal forwarder.
I need to blacklist some windows event code so I configured in inputs.conf
[WinEventLog://Security]
blacklist = 4634
disabled = 0
But the eventcode isn't filtered.
Can you help me to find the source of the problem?
Thank you.
Here's one of my inputs that works.
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode="5156" Message="Application Name:\s+(?!.*splunkd.exe)"
index = idx_security
renderXml=false
I think in your case, you can just add
blacklist1 = EventCode="4634"
Assuming that 'EventCode' is a valid field.