https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-Security-events-by-changing-inputs-conf/m-p/140853#M28844 <P>Hello there,</P> <P>Have you tried using <CODE>blacklist</CODE> instead of <CODE>whitelist</CODE>?</P> <P>There's a good blog you can read here: <A href="http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/">http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/</A></P> Fri, 10 Apr 2015 13:21:41 GMT kendrickt 2015-04-10T13:21:41Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-Security-events-by-changing-inputs-conf/m-p/140852#M28843 <P>I have made the following changes in my inputs.conf. However no luck<BR /> Could anyone help me with this?</P> <P>[WinEventLog:Security]<BR /> ignoreOlderThan=24h<BR /> recursive=false<BR /> disabled=false<BR /> whitelist=1100-1102,1104,1105,1108,4608-4612,4614-4616,4618,4621,4622,4624-4626,4634,4646-4668,4670-4673,4675,4688-4702,4704-4707,4709-4720,4722-4735,4737-4794,4797,4800-4803,4816-4824,4864-4900,4902,4904-4913,4928-4937,4944-4954,4956-4958,4960-4965,4976-4985,5024,5025,5027-5035,5037-5051,5056-5071,5120-5127,5136-5159,5168,5376-5378,5440-5444,5446-5453,5456-5468,5471-5474,5477-5480,5483-5485,5632,5633,5712,5888-5890,6144,6145,6272-6281,6400-6409<BR /> index=indexname<BR /> sourcetype=sourcetypename</P> <P>However the above whitelist filter did not work at all. Specifically I dont want Eventcode 4674 events. So I have omitted it in whitelist.But events with 4674 are not getting filtered.</P> <P>Possible tries:</P> <P>Do I need to specify blacklist?<BR /> Do I mention like this "Eventcode=4566" ?<BR /> Do I use anyother stanza to achieve this?</P> <P>Thanks in advance.</P> Fri, 10 Apr 2015 12:35:24 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-Security-events-by-changing-inputs-conf/m-p/140852#M28843 splunkn 2015-04-10T12:35:24Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-Security-events-by-changing-inputs-conf/m-p/140853#M28844 <P>Hello there,</P> <P>Have you tried using <CODE>blacklist</CODE> instead of <CODE>whitelist</CODE>?</P> <P>There's a good blog you can read here: <A href="http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/">http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/</A></P> Fri, 10 Apr 2015 13:21:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-Security-events-by-changing-inputs-conf/m-p/140853#M28844 kendrickt 2015-04-10T13:21:41Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-Security-events-by-changing-inputs-conf/m-p/140854#M28845 <P>Many thanks for the reply.</P> <P>Yes. I have tried both whitelist and blacklist. <BR /> Still the filter did not work.<BR /> I have also tried to include evt_resolve_ad_obj = 1 in my inputs.conf.<BR /> However that also doesn't seem to work.<BR /> Could anyone please suggest any other possibilities to filter events based on event codes?</P> Mon, 28 Sep 2020 19:33:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-Security-events-by-changing-inputs-conf/m-p/140854#M28845 splunkn 2020-09-28T19:33:08Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-Security-events-by-changing-inputs-conf/m-p/140855#M28846 <P>Same problem.. whitelisting doesn't work. I would think that if you whitelist certain events everything else is blocked but not working for me either.</P> Sat, 13 Feb 2016 01:39:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-Security-events-by-changing-inputs-conf/m-p/140855#M28846 mendesjo 2016-02-13T01:39:34Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-Security-events-by-changing-inputs-conf/m-p/140856#M28847 <P>As you've not mentioned it, did you check that the UF installed on that machine is actually version 6?</P> Wed, 24 Feb 2016 22:46:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-Security-events-by-changing-inputs-conf/m-p/140856#M28847 laurie_gellatly 2016-02-24T22:46:23Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-Security-events-by-changing-inputs-conf/m-p/140857#M28848 <P>Found my problem.. between events I had one entry with two commas in a row, which made it not work.. all good.</P> Wed, 24 Feb 2016 23:10:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-Security-events-by-changing-inputs-conf/m-p/140857#M28848 mendesjo 2016-02-24T23:10:03Z