https://community.splunk.com/t5/Getting-Data-In/Whitelist-Blacklist-Event-ID-using-Forwarder-Management/m-p/380536#M93909 <P>I am running Splunk Enterprise 7.1.1 and testing how the Forwarder Management uses the Serverclass.conf for Event ID whitelisting / blacklisting. I created a folder directory "winevt" in the $SPLUNK_HOME/etc/deployment-apps folder to enable the "winevt" App. I created a server class called "PROD" and moved 1 machine over to it. I then created a default directory with a "inputs.conf" file in this path $SPLUNK_HOME/etc/deployment-apps/winevt. I'd like to test whitelisting only event id 4625 from the windows security logs <BR /> so I modified the "inputs.conf" file which contains:</P> <P>[WinEventLog:Security]<BR /> disabled=0</P> <H1>only index events with these event IDs.</H1> <P>whitelist = EventCode=4625<BR /> blacklist = EventCode=4624,4634,4648,4670,4672</P> <P>On the universal forwarder, i do see that this file appears from C:\Program Files\SplunkUniversalForwarder\etc\apps\winevt\default. However, I do not see any security logs being forwarded to my indexer. Any ideas on what i'm doing wrong?</P> Tue, 29 Sep 2020 21:57:04 GMT jonsantos 2020-09-29T21:57:04Z https://community.splunk.com/t5/Getting-Data-In/Whitelist-Blacklist-Event-ID-using-Forwarder-Management/m-p/380536#M93909 <P>I am running Splunk Enterprise 7.1.1 and testing how the Forwarder Management uses the Serverclass.conf for Event ID whitelisting / blacklisting. I created a folder directory "winevt" in the $SPLUNK_HOME/etc/deployment-apps folder to enable the "winevt" App. I created a server class called "PROD" and moved 1 machine over to it. I then created a default directory with a "inputs.conf" file in this path $SPLUNK_HOME/etc/deployment-apps/winevt. I'd like to test whitelisting only event id 4625 from the windows security logs <BR /> so I modified the "inputs.conf" file which contains:</P> <P>[WinEventLog:Security]<BR /> disabled=0</P> <H1>only index events with these event IDs.</H1> <P>whitelist = EventCode=4625<BR /> blacklist = EventCode=4624,4634,4648,4670,4672</P> <P>On the universal forwarder, i do see that this file appears from C:\Program Files\SplunkUniversalForwarder\etc\apps\winevt\default. However, I do not see any security logs being forwarded to my indexer. Any ideas on what i'm doing wrong?</P> Tue, 29 Sep 2020 21:57:04 GMT https://community.splunk.com/t5/Getting-Data-In/Whitelist-Blacklist-Event-ID-using-Forwarder-Management/m-p/380536#M93909 jonsantos 2020-09-29T21:57:04Z https://community.splunk.com/t5/Getting-Data-In/Whitelist-Blacklist-Event-ID-using-Forwarder-Management/m-p/380537#M93910 <P>I have configured my \etc\system\local\inputs.conf as follows:</P> <P>[WinEventLog://Security]<BR /> disabled = 0</P> <P>whitelist = EventCode="4625" </P> <P>The above whitelist only forwards event ID 4625 log events to my collector. I did not have to blacklist any other event IDs.</P> Fri, 24 Jan 2020 17:35:01 GMT https://community.splunk.com/t5/Getting-Data-In/Whitelist-Blacklist-Event-ID-using-Forwarder-Management/m-p/380537#M93910 sswigart 2020-01-24T17:35:01Z https://community.splunk.com/t5/Getting-Data-In/Whitelist-Blacklist-Event-ID-using-Forwarder-Management/m-p/380538#M93911 <P>Hi dyude @jonsantos ,<BR /> Can u try this,</P> <P>On the deployment server create an inputs.conf file in the local diretory of winevt app( <STRONG>$SPLUNK_HOME/etc/deployment-apps/winevt/local/inputs.conf</STRONG>) and then try pushing the file.</P> <PRE><CODE>[WinEventLog://Security] disabled = 0 whitelist1 = EventCode=4625 </CODE></PRE> <P>An inputs.conf should get created in local directory of winevt app in the forwarder(<STRONG>C:\Program Files\SplunkUniversalForwarder\etc\apps\winevt\local\inputs.conf</STRONG> ). Check the permission of the inputs.conf file in forwarder.</P> <P>Search the logs with the given index name(if any). </P> <P>Let me know if this helps</P> Sun, 26 Jan 2020 20:29:06 GMT https://community.splunk.com/t5/Getting-Data-In/Whitelist-Blacklist-Event-ID-using-Forwarder-Management/m-p/380538#M93911 vinod94 2020-01-26T20:29:06Z