topic Re: Trouble Ingesting Whitelisted Event Codes in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Trouble-Ingesting-Whitelisted-Event-Codes/m-p/690392#M114875 <P>It appears that only one of my hosts is sending in security logs - the Splunk search head.&nbsp; Verified all other hosts have received the inputs.conf and are running with the required level of permissions.&nbsp; Don't see any windows firewall events which are blocking the outbound connection.</P> Tue, 11 Jun 2024 21:56:06 GMT kymenope 2024-06-11T21:56:06Z Trouble Ingesting Whitelisted Event Codes https://community.splunk.com/t5/Getting-Data-In/Trouble-Ingesting-Whitelisted-Event-Codes/m-p/690381#M114873 <P>My inputs.conf looks like this</P><P>&nbsp;</P><P>index = wineventlog</P><P>sourcetype = WinEventLog:Security</P><P>disabled = 0</P><P>whitelist = 1, 2, 3, 4, 5</P><P>blacklist1 = $XmlRegex="(?ms)&lt;EventID&gt;5156&lt;\/EventID&gt;.*&lt;Data\sName='Application'&gt;\\device\\harddiskvolume\d+\\program\sfiles\\splunkuniversalforwarder\\(bin\\splunkd\.exe|etc\\apps\\splunk_ta_stream\\windows_x86_64\\bin\\streamfwd\.exe)&lt;.*&lt;Data\sName='DestPort'&gt;(9997|443|8000)&lt;"<BR /><BR />blacklist2 = $XmlRegex="(?ms)&lt;EventID&gt;5156&lt;\/EventID&gt;.*&lt;Data\sName='DestAddress'&gt;(127.0.0.1|::1|0:0:0:0:0:0:0:1|169.254.*?|fe80:.*?)&lt;"<BR /><BR />blacklist3 = $XmlRegex="(?ms)&lt;EventID&gt;4688&lt;\/EventID&gt;.*&lt;Data\sName='NewProcessName'&gt;C:\\Program Files\\SplunkUniversalForwarder\\(etc\\apps\\Splunk_TA_stream\\windows_x86_64\\bin\\streamfwd.exe|bin\\(splunk-powershell.exe|splunk-MonitorNoHandle.exe|splunk-netmon.exe|splunk-regmon.exe|splunkd.exe|btool.exe|splunk.exe|splunk-winevtlog.exe|splunk-admon.exe|splunk-perfmon.exe|splunk-winprintmon.exe|splunk-wmi.exe))&lt;"</P><P>&nbsp;</P><P>I confirmed that this config has been pushed to all forwarders, the forwarders are using the local system account, and that the firewall is not blocking anything.&nbsp; Despite this the logs I am ingesting are unrelated to my explicit whitelist and are ~5% of what I am expecting to see.</P><P>Any ideas?</P> Tue, 11 Jun 2024 22:51:27 GMT https://community.splunk.com/t5/Getting-Data-In/Trouble-Ingesting-Whitelisted-Event-Codes/m-p/690381#M114873 kymenope 2024-06-11T22:51:27Z Re: Trouble Ingesting Whitelisted Event Codes https://community.splunk.com/t5/Getting-Data-In/Trouble-Ingesting-Whitelisted-Event-Codes/m-p/690392#M114875 <P>It appears that only one of my hosts is sending in security logs - the Splunk search head.&nbsp; Verified all other hosts have received the inputs.conf and are running with the required level of permissions.&nbsp; Don't see any windows firewall events which are blocking the outbound connection.</P> Tue, 11 Jun 2024 21:56:06 GMT https://community.splunk.com/t5/Getting-Data-In/Trouble-Ingesting-Whitelisted-Event-Codes/m-p/690392#M114875 kymenope 2024-06-11T21:56:06Z