We are trying to configure event ID filtration for security events, but even after using the below configuration, there are few events which are present in blacklist that are getting generated in Splunk./ Please point out if I am missing something in my inputs.conf file.
Is there any limitation in creating number of blacklist ?
Do blacklist group have limitation of number event id in one black list group?
[default]
host = NLCIM007
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
suppress_text = o
whiltelist1 =4649,5378,5632,5633,4868,4869,4870,4871,4872,4873,4882,5145,5140,5142,5143,5144,4698,4699,4700,4701,
whiltelist2 =4705,4706,4707,4714,4911,4913,4950,4608,4609,4616,4621,4618,4816,5060,4777,4771,4790,4742,4743,4744,
whiltelist3 =4754,4755,4756,4757,4758,4764,4720,4722,4723,4725,4726,4738,4740,4767,4780,5712,4662,5136,5137,5138,5139,5141,4625
blacklist1 =4774,4775,4776,4768,4772,4769,4770,4783,4784,4785,4648,4786,4787,4788,4789,4782,4793,4724,4765,4766,4781,
blacklist2 =5453,4654,4977,5451,5452,4634,4647,4626,6272,6273,6274,6275,6276,6277,6278,6279,6280,4778,4779,4800,
blacklist3 =5152,5153,4656,4658,4690,4671,4691,5149,5888,5889,5890,5039,4709,4710,4711,4712,5040
blacklist4 =4664,4985,5051,5031,5150,5151,5154,5155,5156,5157,5158,5159,4659,4660,4661,4663
blacklist5 =5041,5042,5043,5044,5045,5046,5047,5048,5440,5441,5442,5443,5444,5446,5448,5449,5450,5456,5457,5458,5459,5460,5461,5462,5463,5464,5465,5466,5467,5468,5471,5472,5473,5474,5477,4944,4945,4946,4947,5062,6281
blacklist6 =4801,4802,4803,4964,4665,4666,4667,4668,4818,4874,4875,4876,4877,4878,4879,4880,4881,4883,4884,4885,4886,4887,4888,4889,4890,4891,4892,4893,4894,4895,4896,4897,4898,5168,4948,4949,4950,4951,4952,4953,4954,4956,4957,4958,4819,4909,4910,5063,5064,5065,5066,5067,6402,6403,6404,6405,6406,6407,6408,4610,4611,4614,4622,4697,4612,4615,5038,5056,5057,5061
blacklist7 =4794,5376,5377,4692,4693,4694,4695,4688,4696,4928,4929,4930,4931,4934,4935,4936,4937,4932,4933,4978,4979,4980,4981,4982,4983,4984,4646,4650,4651,4652,4653,4655,4976,5049,5068,5069,5070,5447,6144,6145,4670,4672,4673,4674,4960,4961,4962,4963,4965,5478,5479,5480,5483,5484,5485,5024,5025,5027,5028,5029,5030,5032,5033,5034,5035,5037,5058,5059,6400,6401
blacklist8 =4702,5148,4657,4715,4719,4817,4902,4904,4905,4906,4907,4908,4912,4713,4716,4717,4718,4739,4864,4865,4866,4867,4704
blacklist9 =4745,4746,4747,4748,4749,4750,4751,4752,4753,4759,4760,4761,4762,4727,4728,4729,4730,4731,4732,4733,4734,4735,4737
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
... View more