https://community.splunk.com/t5/Getting-Data-In/WinEventLog-whitelisting-by-SourceName-not-working/m-p/372703#M67600 <P>hi jrlane,<BR /> from <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf</A></P> <PRE><CODE>whitelist = **&lt;regular expression&gt;** * If set, files from this input are monitored only if their path matches the specified regex. * Takes precedence over the deprecated _whitelist setting, which functions the same way. </CODE></PRE> <P>in white list you have to insert a regex not a string or a field as the one you used in your example <CODE>index="myindex" SourceName="AD FS Auditing" EventCode=500</CODE><BR /> So if you use a rex command in your search instead of string you can see that your regex is wrong (backslashes before brachets and equal).<BR /> try using <CODE>whitelist1= SourceName\=\"AD FS Auditing\"</CODE> in your inputs.conf.</P> <P>You can verify this regex in this way:<BR /> using the regex of your whitelist, you don't have events</P> <PRE><CODE>index="myindex" EventCode=500 | rex "SourceName="AD FS Auditing"" </CODE></PRE> <P>instead if you use the correct regex, you'll find events</P> <PRE><CODE>index="myindex" EventCode=500 | rex "SourceName\=\"AD FS Auditing\"" </CODE></PRE> <P>Try it.</P> <P>Bye.<BR /> Giuseppe</P> Sat, 19 Aug 2017 06:11:39 GMT gcusello 2017-08-19T06:11:39Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-whitelisting-by-SourceName-not-working/m-p/372698#M67595 <P>I'm trying to whitelist a few event logs by eventcode as well as whitelist all events with the SourceName "AD FS Auditing". My config is as follows.</P> <PRE><CODE>[WinEventLog://Security] whitelist= 4624, 4625 whitelist1= SourceName="AD FS Auditing" index=windows_evt </CODE></PRE> <P>With this config any events i put in the first whitelist line work perfectly, but the second line is not functional. As a test if I add an event code that will have a SourceName of <CODE>"AD FS Auditing"</CODE> (say EventCode=500) they come in just fine. I have tried various combinations of things for source name such as <CODE>"^AD FS Auditing$"</CODE> and <CODE>".*AD FS Auditing.*"</CODE> with no success.</P> Sat, 06 Jun 2020 23:54:07 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-whitelisting-by-SourceName-not-working/m-p/372698#M67595 jrlane 2020-06-06T23:54:07Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-whitelisting-by-SourceName-not-working/m-p/372699#M67596 <P>Hi jrlane,<BR /> probably there's an error in your regex: e.g. before brachets and equal you have to insert a backslash ().</P> <P>Try your regex in <A href="https://regex101.com/">https://regex101.com/</A> or in Splunk before insert it in whitelist.</P> <P>Bye.<BR /> Giuseppe</P> Fri, 18 Aug 2017 06:08:31 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-whitelisting-by-SourceName-not-working/m-p/372699#M67596 gcusello 2017-08-18T06:08:31Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-whitelisting-by-SourceName-not-working/m-p/372700#M67597 <P>Hi jrlane,<BR /> probably there's an error in your regex: e.g. before brachets and equal you have to insert a backslash ().</P> <P>Try your regex in <A href="https://regex101.com/">https://regex101.com/</A> or in Splunk before insert it in whitelist.</P> <P>Bye.<BR /> Giuseppe</P> Fri, 18 Aug 2017 06:08:31 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-whitelisting-by-SourceName-not-working/m-p/372700#M67597 gcusello 2017-08-18T06:08:31Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-whitelisting-by-SourceName-not-working/m-p/372701#M67598 <P>I don't see how regex could be the problem. Running this query <CODE>"index="myindex" SourceName="AD FS Auditing" EventCode=500</CODE> I get the the results I need, there should be no regex required on SourceName, it's an exact string.</P> Fri, 18 Aug 2017 13:51:05 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-whitelisting-by-SourceName-not-working/m-p/372701#M67598 jrlane 2017-08-18T13:51:05Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-whitelisting-by-SourceName-not-working/m-p/372702#M67599 <P>You are using both whitelist formats in the same stanza. That does not work, according to <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata">http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata</A>. </P> <BLOCKQUOTE> <P>You can specify one of two formats:</P> <P>One or more Event Log event codes or event IDs (Event Code/ID format.)<BR /><BR /> One or more sets of keys and regular expressions (Advanced filtering format.) <BR /> You cannot mix formats in a single entry. You also cannot mix formats in the same stanza.</P> </BLOCKQUOTE> <P>Try this instead:</P> <PRE><CODE> [WinEventLog://Security] whitelist= EventCode="4624|4625" whitelist1= SourceName="AD FS Auditing" index=windows_evt </CODE></PRE> Sat, 19 Aug 2017 04:37:08 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-whitelisting-by-SourceName-not-working/m-p/372702#M67599 spayneort 2017-08-19T04:37:08Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-whitelisting-by-SourceName-not-working/m-p/372703#M67600 <P>hi jrlane,<BR /> from <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf</A></P> <PRE><CODE>whitelist = **&lt;regular expression&gt;** * If set, files from this input are monitored only if their path matches the specified regex. * Takes precedence over the deprecated _whitelist setting, which functions the same way. </CODE></PRE> <P>in white list you have to insert a regex not a string or a field as the one you used in your example <CODE>index="myindex" SourceName="AD FS Auditing" EventCode=500</CODE><BR /> So if you use a rex command in your search instead of string you can see that your regex is wrong (backslashes before brachets and equal).<BR /> try using <CODE>whitelist1= SourceName\=\"AD FS Auditing\"</CODE> in your inputs.conf.</P> <P>You can verify this regex in this way:<BR /> using the regex of your whitelist, you don't have events</P> <PRE><CODE>index="myindex" EventCode=500 | rex "SourceName="AD FS Auditing"" </CODE></PRE> <P>instead if you use the correct regex, you'll find events</P> <PRE><CODE>index="myindex" EventCode=500 | rex "SourceName\=\"AD FS Auditing\"" </CODE></PRE> <P>Try it.</P> <P>Bye.<BR /> Giuseppe</P> Sat, 19 Aug 2017 06:11:39 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-whitelisting-by-SourceName-not-working/m-p/372703#M67600 gcusello 2017-08-19T06:11:39Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-whitelisting-by-SourceName-not-working/m-p/372704#M67601 <P>Whitelisting for Wineventlog is a little bit tricky.</P> <P>First of all you can whitelist only with these fields:<BR /> Category, CategoryString, ComputerName, EventCode, EventType, Keywords,<BR /> LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName,<BR /> TaskCategory, Type, User</P> <P>Then the logic behind differen whitelist rules is like this:</P> <P>whitelist OR whitelist1 OR whitelist2 OR .... OR whitelistN</P> <P>where each whitelist rule logic is like this </P> <P>rule1 AND rule2 AND ... AND ruleN</P> <P>Here a concrete example:</P> <P>whitelist = EventCode="4624|4625"<BR /> whitelist1 = SourceName="AD FS Auditing"<BR /> whitelist2 = Keywords="Audit Success" User="Bob Marley"</P> <P>This translates to:</P> <P>EventCode="4624|4625" OR SourceName="AD FS Auditing" OR (Keywords="Audit Success" AND User="Bob Marley")</P> Thu, 04 Jun 2020 09:17:30 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-whitelisting-by-SourceName-not-working/m-p/372704#M67601 sonny_monti 2020-06-04T09:17:30Z