https://community.splunk.com/t5/Security/Specific-Windows-Events-Only/m-p/536589#M12049 <DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>Hey All,</SPAN></DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr">&nbsp;</DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>Sorry if this has been asked before but I couldnt see the same such post.&nbsp;</SPAN></DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr">&nbsp;</DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>I want to include some specific windows logs and exclude all others. From what I can see the below config is including other events too - is this because I have Application and System Stanzas with no whitelists? Or do I need to include a blacklist too within this stanza?</SPAN></DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr">&nbsp;</DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>[WinEventLog://Security]</SPAN></DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>disabled = 0</SPAN></DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>start_from = oldest</SPAN></DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>current_only = 0</SPAN></DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>evt_resolve_ad_obj = 1</SPAN></DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>checkpointInterval = 5</SPAN></DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>whitelist = 4776,4720,4723,1102,4624,4726,4625</SPAN></DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>renderXml=true</SPAN></DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr">&nbsp;</DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>Thanks!</SPAN></DIV></DIV></DIV> Wed, 20 Jan 2021 22:55:26 GMT achauhan2098 2021-01-20T22:55:26Z https://community.splunk.com/t5/Security/Specific-Windows-Events-Only/m-p/536589#M12049 <DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>Hey All,</SPAN></DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr">&nbsp;</DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>Sorry if this has been asked before but I couldnt see the same such post.&nbsp;</SPAN></DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr">&nbsp;</DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>I want to include some specific windows logs and exclude all others. From what I can see the below config is including other events too - is this because I have Application and System Stanzas with no whitelists? Or do I need to include a blacklist too within this stanza?</SPAN></DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr">&nbsp;</DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>[WinEventLog://Security]</SPAN></DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>disabled = 0</SPAN></DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>start_from = oldest</SPAN></DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>current_only = 0</SPAN></DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>evt_resolve_ad_obj = 1</SPAN></DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>checkpointInterval = 5</SPAN></DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>whitelist = 4776,4720,4723,1102,4624,4726,4625</SPAN></DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>renderXml=true</SPAN></DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr">&nbsp;</DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>Thanks!</SPAN></DIV></DIV></DIV> Wed, 20 Jan 2021 22:55:26 GMT https://community.splunk.com/t5/Security/Specific-Windows-Events-Only/m-p/536589#M12049 achauhan2098 2021-01-20T22:55:26Z https://community.splunk.com/t5/Security/Specific-Windows-Events-Only/m-p/536599#M12050 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230681">@achauhan2098</a>,</P><P>Your whitelist should work, but if you have other WinEventLog stanzas present and do not want to index their events, do set disabled = 1 in those stanzas. By default, all events in the referenced event log will be indexed.</P> Thu, 21 Jan 2021 00:42:57 GMT https://community.splunk.com/t5/Security/Specific-Windows-Events-Only/m-p/536599#M12050 tscroggins 2021-01-21T00:42:57Z https://community.splunk.com/t5/Security/Specific-Windows-Events-Only/m-p/536666#M12051 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/49493">@tscroggins</a>&nbsp;</P><P>thanks for the reply. I think that was just my understanding of whitelisting.&nbsp; do you know of an easy way to find what windows events would sit in which stanzas? most of the time it will be obvious but for some events they could legitimately sit in either camp.&nbsp;</P><P>Thanks!&nbsp;</P> Thu, 21 Jan 2021 11:37:26 GMT https://community.splunk.com/t5/Security/Specific-Windows-Events-Only/m-p/536666#M12051 achauhan2098 2021-01-21T11:37:26Z