<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Using Windows Powershell, how do I modify inputs.conf to only capture specific EventIDs? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Using-Windows-Powershell-how-do-I-modify-inputs-conf-to-only/m-p/275814#M52907</link>
    <description>&lt;P&gt;I appreciate the prompt response. That answers part of my question about filtering, however, I am still trying to figure out why I am not receiving Event ID 800.&lt;/P&gt;

&lt;P&gt;Just to highlight:&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;I am not receiving Event ID 800 at all&lt;/STRONG&gt; and trying to figure out why. After adding the stanza I mentioned above, I started receiving EventIDs 400, 403, and 600. Why is it that I am getting everything from that log except one EventID?&lt;/P&gt;

&lt;P&gt;In our architecture, we filter events from WinEventLog directly at the forwarder level. &lt;/P&gt;</description>
    <pubDate>Wed, 14 Sep 2016 09:46:33 GMT</pubDate>
    <dc:creator>adayton20</dc:creator>
    <dc:date>2016-09-14T09:46:33Z</dc:date>
    <item>
      <title>Using Windows Powershell, how do I modify inputs.conf to only capture specific EventIDs?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-Windows-Powershell-how-do-I-modify-inputs-conf-to-only/m-p/275812#M52905</link>
      <description>&lt;P&gt;Hello, &lt;/P&gt;

&lt;P&gt;I am trying to only capture EventIDs 400 and 800 inside the Windows PowerShell log (not the PowerShell Operational) found at &lt;/P&gt;

&lt;P&gt;%SystemRoot%\System32\Winevt\Logs\Windows PowerShell.evtx&lt;/P&gt;

&lt;P&gt;I added the stanza below, which began generating logs, but for some reason I'm not receiving one of the EventIDs (800) I specified in the whitelist, and getting other EventIDs I didn't specify.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;##### Windows PowerShell (Administrative) #####
[WinEventLog://Windows PowerShell]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
whitelist1 = 800,400
blacklist1 = EventID="400" Message="*foo.ps1*" Message="*PartialPathName*" user="*SomeUser*"
blacklist2 = EventID="800" Message="*foo.ps1*" Message="*PartialPathName*" user="*SomeUser*"
index=wineventlog
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;I am receiving 400, 403, and 600, but not 800. Based on my whitelist, shouldn't I not be receiving 403 and 600?&lt;/P&gt;

&lt;P&gt;The stanza was added to /deployment-apps/Splunk_TA_windows/local/inputs.conf&lt;/P&gt;

&lt;P&gt;I followed instructions per Splunk Docs "Monitor Windows Data" to set up the stanza. &lt;/P&gt;

&lt;P&gt;The blacklists I applied are to filter out a specific powershell script in a path ran by a unique user. I thought initially that may have been the problem, but I ran a few test ps1s to generate events and verified I am receiving EventID 400, and that foo.ps1 is filtered out for the specific path and user, so I do not think it has anything to do with the my blacklists.&lt;/P&gt;

&lt;P&gt;I thought another app might be taking precedence. I read through Splunk docs "Configuration File Precedence", and based on the precedence given, couldn't find any app interfering.&lt;/P&gt;

&lt;P&gt;Any thoughts?&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 10:57:49 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-Windows-Powershell-how-do-I-modify-inputs-conf-to-only/m-p/275812#M52905</guid>
      <dc:creator>adayton20</dc:creator>
      <dc:date>2020-09-29T10:57:49Z</dc:date>
    </item>
    <item>
      <title>Re: Using Windows Powershell, how do I modify inputs.conf to only capture specific EventIDs?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-Windows-Powershell-how-do-I-modify-inputs-conf-to-only/m-p/275813#M52906</link>
      <description>&lt;P&gt;You need to use transfroms.conf on your heavy forwarders or indexer to send the events to NULL.&lt;/P&gt;

&lt;P&gt;&lt;A href="http://docs.splunk.com/Documentation/Splunk/6.4.3/Forwarding/Routeandfilterdatad"&gt;http://docs.splunk.com/Documentation/Splunk/6.4.3/Forwarding/Routeandfilterdatad&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 13 Sep 2016 20:38:50 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-Windows-Powershell-how-do-I-modify-inputs-conf-to-only/m-p/275813#M52906</guid>
      <dc:creator>bmacias84</dc:creator>
      <dc:date>2016-09-13T20:38:50Z</dc:date>
    </item>
    <item>
      <title>Re: Using Windows Powershell, how do I modify inputs.conf to only capture specific EventIDs?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-Windows-Powershell-how-do-I-modify-inputs-conf-to-only/m-p/275814#M52907</link>
      <description>&lt;P&gt;I appreciate the prompt response. That answers part of my question about filtering, however, I am still trying to figure out why I am not receiving Event ID 800.&lt;/P&gt;

&lt;P&gt;Just to highlight:&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;I am not receiving Event ID 800 at all&lt;/STRONG&gt; and trying to figure out why. After adding the stanza I mentioned above, I started receiving EventIDs 400, 403, and 600. Why is it that I am getting everything from that log except one EventID?&lt;/P&gt;

&lt;P&gt;In our architecture, we filter events from WinEventLog directly at the forwarder level. &lt;/P&gt;</description>
      <pubDate>Wed, 14 Sep 2016 09:46:33 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-Windows-Powershell-how-do-I-modify-inputs-conf-to-only/m-p/275814#M52907</guid>
      <dc:creator>adayton20</dc:creator>
      <dc:date>2016-09-14T09:46:33Z</dc:date>
    </item>
    <item>
      <title>Re: Using Windows Powershell, how do I modify inputs.conf to only capture specific EventIDs?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-Windows-Powershell-how-do-I-modify-inputs-conf-to-only/m-p/275815#M52908</link>
      <description>&lt;P&gt;Well, it turns out there was another app interfering, but it was named something goofy. One of our admins, now on vacation, decided to make a test windows app called 0test_win, which I discovered was taking precedence over everything in the Splunk_TA_Windows app. I also found a corresponding entry in the serverclass.conf. After examining the contents of the app to ensure it wasn’t going to break anything, I renamed the app “ztest_win” so it would move to the bottom of the app list. After restarting the deployment server, the stanza in my original post worked like a charm.  I am now only receiving EventIDs 400 and 800 for that sourcetype.&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 11:03:33 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-Windows-Powershell-how-do-I-modify-inputs-conf-to-only/m-p/275815#M52908</guid>
      <dc:creator>adayton20</dc:creator>
      <dc:date>2020-09-29T11:03:33Z</dc:date>
    </item>
    <item>
      <title>Re: Using Windows Powershell, how do I modify inputs.conf to only capture specific EventIDs?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-Windows-Powershell-how-do-I-modify-inputs-conf-to-only/m-p/275816#M52909</link>
      <description>&lt;P&gt;file precedence will get you every time.&lt;/P&gt;</description>
      <pubDate>Tue, 20 Sep 2016 17:19:38 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-Windows-Powershell-how-do-I-modify-inputs-conf-to-only/m-p/275816#M52909</guid>
      <dc:creator>bmacias84</dc:creator>
      <dc:date>2016-09-20T17:19:38Z</dc:date>
    </item>
  </channel>
</rss>

