https://community.splunk.com/t5/Getting-Data-In/Windows-Filtering-Forwarded-Events-based-on-LogName/m-p/553791#M91809 <P>Well, that's the regex format I'm using <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>Thanks for confirming it should work. I'll test it before rolling out to prod anyway so I don't assume that something works and suddenly get surprised that it doesn't <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Wed, 02 Jun 2021 16:40:56 GMT PickleRick 2021-06-02T16:40:56Z https://community.splunk.com/t5/Getting-Data-In/Windows-Filtering-Forwarded-Events-based-on-LogName/m-p/553711#M91798 <P>I have a use-case:</P><P>There is a WEC server receving logs from a server farm. I need to forward only security events from Forwarded Events Log. Judging from inputs.conf specs it should be enough to define an input such as:</P><P>&nbsp;</P><LI-CODE lang="markup">[WinEventLog://ForwardedEvents] current_only = 0 disabled = 0 index = whatever renderXml = true whitelist = LogName=Security</LI-CODE><P>&nbsp;</P><P>And this configuration should provide me with only security events forwarded from the source hosts being pulled by UF, right? The rest of Forwarder Events log should be left alone?</P> Mon, 31 May 2021 13:23:19 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Filtering-Forwarded-Events-based-on-LogName/m-p/553711#M91798 PickleRick 2021-05-31T13:23:19Z https://community.splunk.com/t5/Getting-Data-In/Windows-Filtering-Forwarded-Events-based-on-LogName/m-p/553751#M91803 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;</P><P>The config should work, if not see the regex format as described here -&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.0/admin/Inputsconf#Event_Log_allow_list_and_deny_list_formats" target="_blank">inputs.conf - Splunk Documentation</A></P><P>-----</P><P>An upvote would be appreciated if it helps!</P> Tue, 01 Jun 2021 02:10:22 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Filtering-Forwarded-Events-based-on-LogName/m-p/553751#M91803 venkatasri 2021-06-01T02:10:22Z https://community.splunk.com/t5/Getting-Data-In/Windows-Filtering-Forwarded-Events-based-on-LogName/m-p/553753#M91805 <P>I mean it only filters the Security events as you required. Docs says,</P><LI-CODE lang="markup"># Filtering at the input layer is desirable to reduce the total # processing load in network transfer and computation on the Splunk platform # nodes that acquire and processing Event Log data. whitelist = &lt;list of eventIDs&gt; | key=regex [key=regex]</LI-CODE><P>&nbsp;</P><P>-----</P><P>An upvote would be appreciated if it helps!</P> Tue, 01 Jun 2021 02:22:07 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Filtering-Forwarded-Events-based-on-LogName/m-p/553753#M91805 venkatasri 2021-06-01T02:22:07Z https://community.splunk.com/t5/Getting-Data-In/Windows-Filtering-Forwarded-Events-based-on-LogName/m-p/553791#M91809 <P>Well, that's the regex format I'm using <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>Thanks for confirming it should work. I'll test it before rolling out to prod anyway so I don't assume that something works and suddenly get surprised that it doesn't <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Wed, 02 Jun 2021 16:40:56 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Filtering-Forwarded-Events-based-on-LogName/m-p/553791#M91809 PickleRick 2021-06-02T16:40:56Z https://community.splunk.com/t5/Getting-Data-In/Windows-Filtering-Forwarded-Events-based-on-LogName/m-p/554128#M91839 <P>It seems that the syntax was almost OK.</P><P>The regex should be delimited, otherwise the UF throws an error into logs at startup and ignores the condition.</P><P>So it should say:</P><LI-CODE lang="markup">whitelist = LogName="Security"</LI-CODE> Wed, 02 Jun 2021 16:40:05 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Filtering-Forwarded-Events-based-on-LogName/m-p/554128#M91839 PickleRick 2021-06-02T16:40:05Z