topic Re: inputs.conf Windows event whitelist in Getting Data In

inputs.conf Windows event whitelist

isolsplunk — Wed, 30 Sep 2020 02:34:20 GMT

Hi guys,
it seems there's something wrong with my inputs.conf whitelist configuration :

[WinEventLog://System]
index = winsecevents
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml = true
whitelist = EventCode="^104$" TaskCategory="^Log\sclear"

I tried of course with :
whitelist = EventCode="104" TaskCategory="Log clear"
or with the "message" conf like this one :

whitelist = EventCode="104" Message=".+log\sfile\swas\scleared."

But nothing has changed.
Do you have some ideas?
Thanks a lot.

Re: inputs.conf Windows event whitelist

sandeepmakkena — Thu, 17 Oct 2019 23:09:58 GMT

whitelist = EventCode=%^104$%

Try this edit and restart the Splunk, I hope this will help!

Re: inputs.conf Windows event whitelist

sandeepmakkena — Thu, 17 Oct 2019 23:21:56 GMT

props.conf

  [WinEventLog://System]
  TRANSFORMS-FilterEvent = FilterEvent

transforms.conf

 [FilterEvent]
 REGEX = EventCode="^104$" 
 DEST_KEY = queue
 FORMAT = nullQueue

Try this as well!

Re: inputs.conf Windows event whitelist

isolsplunk — Fri, 18 Oct 2019 05:16:19 GMT

Hi there,the issue is related to the second part of the filter : taskcategory/message (they are on the same line but the post has been modified.

Re: inputs.conf Windows event whitelist

gcusello — Fri, 18 Oct 2019 06:51:35 GMT

Hi
from https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

whitelist = <regular expression>
* If set, files from this input are monitored only if their path matches the
  specified regex.
* Takes precedence over the deprecated '_whitelist' setting, which functions
  the same way.
* Default: Not set.

So check the regex with your logs escaping all special chars (as = or ") , it should be something like this:

whitelist = EventCode\=104.*TaskCategory\=Log\sclear

Ciao.
Giuseppe

Re: inputs.conf Windows event whitelist

isolsplunk — Wed, 30 Sep 2020 02:34:27 GMT

Ciao Giuseppe,
thanks for your comment.
I think i'm missing something...just to be clear,I'm trying to filter windows event logs and not custom.
In another stanza I have these settings that are running correctly :

[WinEventLog://Security]
index = winsecevents
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662|566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="4634|4624" Message="Logon Type:\s+3"
blacklist3 = EventCode="4648|4658" Message="Process Name:\s+C:\Program\sFiles\Microsoft\sAzure\sAD\sSync\Bin\miiserver.exe"
renderXml=true

The difference is just the keyword "blacklist" instead of "whitelist" but this one :
whitelist = EventCode="104" TaskCategory=".*Log\sclear"
or this :
whitelist = EventCode="104" Message=".+\slog\sfile\swas\scleared."

looks totally correct to me.
Thanks.

Re: inputs.conf Windows event whitelist

isolsplunk — Fri, 18 Oct 2019 12:38:07 GMT

Ok,I understood why it doesn't works.
I have renderXml=true and if I check the windows event,there's not any field i was looking for.
I must change the logic,parsing the raw xml and looking through it.