We are trying to capture failed logons from our AD server but only want to capture specific event logs.
We are using the Splunk Deployment so we don't have to configure each of the 20 servers as we install the Universal Forwarder. I have done a lot of reading through the online docus and searching here but can't figure out how to whitelist only specific codes so we don't use up all of our license on data we don't want to see. Here is a snippet of the input.conf that I am pushing out with the deployment server. This is in the Program Files\Splunk\etc\deployment-apps\Splunk_TA_windows\local folder where it is pushed out. I just need a little assistance on what I am missing.
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = "EventCode = 4624,4625,4648,4649,4723,4724,4727,4728-4730,4737,4754,4755-4758,4720,4722-4726,4738,4740,4767,4771,4780,4781,5378"
Help me stop pulling my hair out.
... View more