https://community.splunk.com/t5/Getting-Data-In/How-to-select-only-quot-Security-logs-quot-from-Windows/m-p/320644#M59829 <P>This worked! thank you very much!</P> Tue, 06 Mar 2018 22:51:35 GMT mmcarty 2018-03-06T22:51:35Z https://community.splunk.com/t5/Getting-Data-In/How-to-select-only-quot-Security-logs-quot-from-Windows/m-p/320642#M59827 <P>Hello,<BR /> I installed a Universal Forwarder(UF) in a Windows servers box, I didn't select the customize options, I only did next and only specified my deployer, now after I am done, I would like to tell the windows servers that I only need Windows Security Logs (from the event viewer) to be forwarded to my Splunk instance, how do i do that? how do I change that?</P> <P>Thank you! </P> Tue, 06 Mar 2018 19:38:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-select-only-quot-Security-logs-quot-from-Windows/m-p/320642#M59827 mmcarty 2018-03-06T19:38:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-select-only-quot-Security-logs-quot-from-Windows/m-p/320643#M59828 <P>Look for inputs.conf in your Universal Forwarder. ($SPLUNK_HOME/etc/apps, should be under some app). The inputs.conf file (there can be many, find one which has <CODE>[WinEventLog:....</CODE> type stanza). You can say <CODE>disabled = 1</CODE> for all entries which you want to disable. Just keep <CODE>disabled =0</CODE> for <CODE>[WinEventLog:Security]</CODE> stanza.</P> Tue, 06 Mar 2018 20:26:32 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-select-only-quot-Security-logs-quot-from-Windows/m-p/320643#M59828 somesoni2 2018-03-06T20:26:32Z https://community.splunk.com/t5/Getting-Data-In/How-to-select-only-quot-Security-logs-quot-from-Windows/m-p/320644#M59829 <P>This worked! thank you very much!</P> Tue, 06 Mar 2018 22:51:35 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-select-only-quot-Security-logs-quot-from-Windows/m-p/320644#M59829 mmcarty 2018-03-06T22:51:35Z