https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Log-Blacklist-not-Blacklisting/m-p/171967#M34670 <P>I'm running Splunk 6.1 as my indexer. I have a 6.1 universal forwarder setup on a windows box and I'm trying to filter what event logs get sent back to the indexer.</P> <P>I added this stanza to inputs.conf in C:\Program Files\SplunkUniversalForwarder\etc\system\local:</P> <P>[WinEventLog:Security]<BR /> disabled = 0<BR /> blacklist = 5145,5156</P> <P>I then restarted the forwarder service and unfortunately I am still seeing 5145s and 5156s in my indexer. Am I missing something? I looked at splunkd.log but it didn't provide any insight on the issue.</P> <P>Josh</P> Tue, 05 Aug 2014 20:58:09 GMT jadams7325 2014-08-05T20:58:09Z https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Log-Blacklist-not-Blacklisting/m-p/171967#M34670 <P>I'm running Splunk 6.1 as my indexer. I have a 6.1 universal forwarder setup on a windows box and I'm trying to filter what event logs get sent back to the indexer.</P> <P>I added this stanza to inputs.conf in C:\Program Files\SplunkUniversalForwarder\etc\system\local:</P> <P>[WinEventLog:Security]<BR /> disabled = 0<BR /> blacklist = 5145,5156</P> <P>I then restarted the forwarder service and unfortunately I am still seeing 5145s and 5156s in my indexer. Am I missing something? I looked at splunkd.log but it didn't provide any insight on the issue.</P> <P>Josh</P> Tue, 05 Aug 2014 20:58:09 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Log-Blacklist-not-Blacklisting/m-p/171967#M34670 jadams7325 2014-08-05T20:58:09Z https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Log-Blacklist-not-Blacklisting/m-p/171968#M34671 <P>Take a look at this excellent blog post:</P> <P><A href="http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/">http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/</A></P> Tue, 05 Aug 2014 21:05:29 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Log-Blacklist-not-Blacklisting/m-p/171968#M34671 Jeff_Lightly_Sp 2014-08-05T21:05:29Z https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Log-Blacklist-not-Blacklisting/m-p/171969#M34672 <P>This blog is a good read. Other references</P> <P><A href="http://answers.splunk.com/answers/29218/filtering-windows-event-logs">http://answers.splunk.com/answers/29218/filtering-windows-event-logs</A></P> <P><A href="http://answers.splunk.com/answers/136559/filtering-wineventlogsecurity">http://answers.splunk.com/answers/136559/filtering-wineventlogsecurity</A></P> <P>They may have some extra filters, so adjust per your need.</P> Tue, 05 Aug 2014 21:21:46 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Log-Blacklist-not-Blacklisting/m-p/171969#M34672 somesoni2 2014-08-05T21:21:46Z