Getting Data In

How to configure inputs.conf to blacklist Windows Event Logs on indexer?

kpavan
Path Finder

Hi,

I below is the inputs.conf which i have configured on my indexer, but it is not blocking anything. is this is correct format or not. I need to block it on indexer level since i have more forwarders. Please let me know the correct configuration.

[WinEventLog://Application]
disabled = 1
start_from = newest
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist = *

Thanks!

0 Karma

ppablo
Retired

Hi @kpavan

From this blog post on filtering Windows Event Logs with blacklist, it seems like you can only filter with inputs.conf on the forwarder.

http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/

The author mentions in the comment thread that they do have an earlier blog post on filtering at the indexer level, but I didn't have any luck finding that post specific to what you're looking for. If this doesn't resolve your issue, hopefully a configuration expert on filtering can chime in.

0 Karma

kpavan
Path Finder

is there a way to block the specific host/ip which sending entire logs on indexer.

0 Karma

MuS
Legend

If you want it to be filtered on the indexer follow this docs about Filter event data and send to queues. This way you can nullQueue unneeded events.

0 Karma

kpavan
Path Finder

Thanks for your quick response!

Actually it did worked in UF. Since I have too many UF's, so i would like to filter on indexer level.

0 Karma

kpavan
Path Finder

i did configured the same on UF inputs.conf it is blocking, but when i applied on indexer it is not

[WinEventLog://System]
disabled = 0
start_from = newest
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist = 7036

0 Karma

ITICSNORTH
Explorer

even it's not working on UF to 😞

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...