https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197264#M39188 <P>If you're using your Splunk server as a deployment server then you would edit the inputs.conf file in opt/splunk/etc/deploymentapps//local/inputs.conf and then once you made the change and restarted the server that configuration would automatically be pushed out.</P> <P>Yes you can configure whitelists and blacklists at the same time. Just remember that the blacklists take precedent.</P> <P>Splunk can handle up to 10 blacklists and whitelists. This is a good reference: <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/MonitorWindowsdata#Create_advanced_filters_with_.27whitelist.27_and_.27blacklist.27">http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/MonitorWindowsdata#Create_advanced_filters_with_.27whitelist.27_and_.27blacklist.27</A></P> Mon, 29 Dec 2014 18:39:33 GMT kjhanson 2014-12-29T18:39:33Z https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197260#M39184 <P>We are trying to capture failed logons from our AD server but only want to capture specific event logs.</P> <P>We are using the Splunk Deployment so we don't have to configure each of the 20 servers as we install the Universal Forwarder. I have done a lot of reading through the online docus and searching here but can't figure out how to whitelist only specific codes so we don't use up all of our license on data we don't want to see. Here is a snippet of the input.conf that I am pushing out with the deployment server. This is in the Program Files\Splunk\etc\deployment-apps\Splunk_TA_windows\local folder where it is pushed out. I just need a little assistance on what I am missing.</P> <P>[WinEventLog://Security]<BR /> disabled = 0<BR /> start_from = oldest<BR /> current_only = 0<BR /> evt_resolve_ad_obj = 1<BR /> checkpointInterval = 5<BR /> whitelist = "EventCode = 4624,4625,4648,4649,4723,4724,4727,4728-4730,4737,4754,4755-4758,4720,4722-4726,4738,4740,4767,4771,4780,4781,5378"</P> <P>Help me stop pulling my hair out.</P> Mon, 28 Sep 2020 16:50:18 GMT https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197260#M39184 cannarella 2020-09-28T16:50:18Z https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197261#M39185 <P>You can use :</P> <P><CODE>whitelist = 4624,4625,4648,4649,4723,4724,4727,4728-4730,4737,4754,4755-4758,4720,4722-4726,4738,4740,4767,4771,4780,4781,5378</CODE></P> <P>and make sure that you restarted to apply, and that you are on version 6.0.* or 6.1.*</P> Thu, 12 Jun 2014 16:53:46 GMT https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197261#M39185 yannK 2014-06-12T16:53:46Z https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197262#M39186 <P>and use inputs.conf not input.conf.<BR /> to verify the result use the btool command.</P> <P><CODE>splunk cmd btool inputs list --debug</CODE></P> Thu, 12 Jun 2014 16:58:32 GMT https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197262#M39186 yannK 2014-06-12T16:58:32Z https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197263#M39187 <P>Hi,</P> <P>Even we are planning for the same thing in our environment can u help me out on this .</P> <P>i have deployment app on my splunk server and 60 windows server so to make changes in all the server at one time i need to go in to the app folder and in that input.conf ?</P> <P>can i configure blacklist and whitlist same time?</P> <P>is there any limitation in creating whitelist and blacklist ? </P> Thu, 13 Nov 2014 07:49:19 GMT https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197263#M39187 ITICSNORTH 2014-11-13T07:49:19Z https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197264#M39188 <P>If you're using your Splunk server as a deployment server then you would edit the inputs.conf file in opt/splunk/etc/deploymentapps//local/inputs.conf and then once you made the change and restarted the server that configuration would automatically be pushed out.</P> <P>Yes you can configure whitelists and blacklists at the same time. Just remember that the blacklists take precedent.</P> <P>Splunk can handle up to 10 blacklists and whitelists. This is a good reference: <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/MonitorWindowsdata#Create_advanced_filters_with_.27whitelist.27_and_.27blacklist.27">http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/MonitorWindowsdata#Create_advanced_filters_with_.27whitelist.27_and_.27blacklist.27</A></P> Mon, 29 Dec 2014 18:39:33 GMT https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197264#M39188 kjhanson 2014-12-29T18:39:33Z https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197265#M39189 <P>This blog entry shows that on Splunk 6 you can just enter the EventCode numbers as shown here by @yannK -- <A href="http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/">http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/</A></P> Tue, 29 Sep 2015 23:31:34 GMT https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197265#M39189 wrangler2x 2015-09-29T23:31:34Z https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197266#M39190 <P>@yannK</P> <P>I'm having trouble with this. I implemented it in a deployment app, and just assumed it was working. But today I restarted a forwarder which gave me this error:</P> <P><CODE>Invalid key in stanza [WinEventLog:Security] in C:\Program Files\Splunk\etc\apps\OIT_WINEVENT_DC_INDEX_WIN_01\default\inputs<BR /> .conf, line 23: whitelist (value: 528-535,539-540,624-626,632,636,659,642-644,660,675-676,671-672,680-681,1100,1102,1104,1108,4612,4616,46<BR /> 18,4624-4625,4634,4720,4728,4732,4738,4740,4756,4767-4768,4771-4772,4776,5461 )</CODE></P> <P>Here is the stanza in question (from the deployment app inputs.conf):</P> <PRE><CODE>[WinEventLog:Security] disabled = 0 index= winevent_dc_index whitelist = 528-535,539-540,624-626,632,636,659,642-644,660,675-676,671-672,680-681,1100,1102,1104,1108,4612,4616,4618,4624-4625,4634,4720,4728,4732,4738,4740,4756,4767-4768,4771-4772,4776,5461 </CODE></PRE> <P>The forwarder is running on 6.1.4 code. Should it not work there? Or do you see something wrong with this?</P> Fri, 11 Dec 2015 23:31:05 GMT https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197266#M39190 wrangler2x 2015-12-11T23:31:05Z https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197267#M39191 <P>Hi Wrangler2x. <BR /> The feature existed on splunk 6.1.4<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.1.4/Data/MonitorWindowsdata">http://docs.splunk.com/Documentation/Splunk/6.1.4/Data/MonitorWindowsdata</A><BR /> it should be fine. </P> <P>can it be a typo in the string<BR /><BR /> check" 46 18," in the middle</P> <P>Or a text file encoding issue, try to edit the file with a code editor (notepad++ by example on window), and look for linebreaks or special characters.</P> Sat, 12 Dec 2015 00:07:41 GMT https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197267#M39191 yannK 2015-12-12T00:07:41Z https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197268#M39192 <P>The <EM>46 18</EM> is in the copy from an msdos window to the splunk Answers page of the error output. In the actual whitelist above, you can see <EM>4618</EM>. There are no embedded spaces in the whitelist anywhere. I have looked at the file in notepad++ and there are no embedded line breaks or special characters.</P> <P>I also just re-verified that this is 6.1.4, and it is a heavy forwarder.</P> <P>Also, the error is <STRONG>Invalid key in stanza</STRONG> and that seems like it does not recognize the term <EM>whitelist</EM>.</P> Sat, 12 Dec 2015 00:38:11 GMT https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197268#M39192 wrangler2x 2015-12-12T00:38:11Z https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197269#M39193 <P>Did you ever find an answer to your issue? I am experiencing the same and can't seem to find any info online.</P> Wed, 23 Mar 2016 13:06:25 GMT https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197269#M39193 Shayde_Nofziger 2016-03-23T13:06:25Z https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197270#M39194 <P>No. I'm guessing that it is not actually supported until 6.3.x, which I have yet to upgrade to. In the meantime, I've gone back to using the old drop/pass via props.conf and transforms.conf, like this:</P> <PRE><CODE>[WinEventCodeSecDrop] REGEX = . DEST_KEY = queue FORMAT = nullQueue [WinEventCodeSecPass] REGEX = (?m)^EventCode=(512|513|517|520|528|529|530|531|532|533|534|535|539|540|624|625|626|632|636|659|642|643|644|660|675|676|671|672|680|681|1100|1102|1104|1108|4612|4616|4618|4624|4625|4634|4720|4728|4729|4732|4733|4738|4740|4756|4757|4767|4768|4771|4772|4776|5461)[^0-9] DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> Wed, 23 Mar 2016 20:26:52 GMT https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197270#M39194 wrangler2x 2016-03-23T20:26:52Z https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197271#M39195 <P>Try using:</P> <P>[WinEventLog://Security]</P> <P>instead of:</P> <P>[WinEventLog:Security]</P> Thu, 12 May 2016 16:39:15 GMT https://community.splunk.com/t5/Getting-Data-In/input-conf-whitelist-for-windows-eventlogs/m-p/197271#M39195 spayneort 2016-05-12T16:39:15Z