Hello.
Good afternoon. Currently, we are ingesting Windows Events using Splunk_TA_windows. Within the inputs.conf file, we have a number of Event Codes blacklisted. Now, we are looking to create a second TA (based on Splunk_TA_windows) where two Event Codes will be removed from the blacklist. What would be the best method for setting the sourcetype for [WinEventLog://Security]? Our input looks like this ...
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 60
index = us_endpoint_microsoft_windows_security
renderXml=false
blacklist3=4820,4770,4773,4784,4789,4791,4792,4793,4764,4780,5376,5377,4797,4696,5712,4928,4929,4930,4931,4934,4935,4936,4937,4661,4662,5138,5139,4932,4933,4978,4979,4980,4981,4982,4983,4984,4650,4651,4652,4653,4655,4976,5049,5453,4654,4977,5451,5452,4626,4675,6272,6274,6275,6276,6277,6278,6279,6280,5378,5632,5633,4666,4667,4868,4869,4871,4872,4873,4874,4875,4876,4877,4878,4879,4880,4881,4883,4884,4886,4887,4889,4893,4894,4895,4896,4898,5120,5168,4658,4659,5031,5150,5151,5155,5157,5158,5159,5152,5153,4656,4658,4690,4671,4659,5149,5888,5889,5890,4659,4663,5039,4661,4818,4715,4817,4902,4904,4906,4713,4718,4864,4911,4913,4705,4714,4709,4710,4711,4712,5040,5041,5042,5043,5044,5045,5046,5047,5048,5440,5441,5442,5443,5444,5446,5448,5449,5450,5456,5457,5458,5459,5460,5461,5462,5463,5464,5465,5466,5467,5468,5471,5472,5473,5474,5477,4944,4945,4951,4952,4953,4954,4956,4957,4958,4819,4909,4910,5063,5064,5065,5066,5067,5068,5069,5070,5447,6144,6145,4674,4673,4674,4960,4961,4962,4963,4965,5478,5479,5480,5483,5484,5485,4621,4610,4622,4816,5038,5056,5057,5060,5061,5062,6281,5024,5027,5028,5029,5030,5032,5033,5035,5037,5058,5059,6400,6401,6402,6403,6404,6405,6406,6407,6408,4821,4822,4822,4823,4824,5071,5146,5147,6409,1105,5121,5122,5050,5123,5125,5126,5127,5156
And our sourcetype looks like this ...
[WinEventLog:Security]
FIELDALIAS-action = Accesses AS action
REPORT-change_type = report_change_type
FIELDALIAS-dest = ComputerName AS dest
FIELDALIAS-dvc = host AS dvc
REPORT-object = report_object
FIELDALIAS-object_path = Object_Name AS object_path
EVAL-status = case(Keywords="Audit Success","success",Keywords="Audit Failure","failure")
FIELDALIAS-user = Account_Name AS user
EVAL-vendor = "Microsoft"
EVAL-vendor_product = "Windows"
Any suggestions would be appreciated. Thanks.
Regards,
Max