Whitelist/Blacklist Event ID using Forwarder Management


I am running Splunk Enterprise 7.1.1 and testing how the Forwarder Management uses the Serverclass.conf for Event ID whitelisting / blacklisting. I created a folder directory "winevt" in the $SPLUNK_HOME/etc/deployment-apps folder to enable the "winevt" App. I created a server class called "PROD" and moved 1 machine over to it. I then created a default directory with a "inputs.conf" file in this path $SPLUNK_HOME/etc/deployment-apps/winevt. I'd like to test whitelisting only event id 4625 from the windows security logs
so I modified the "inputs.conf" file which contains:


only index events with these event IDs.

whitelist = EventCode=4625
blacklist = EventCode=4624,4634,4648,4670,4672

On the universal forwarder, i do see that this file appears from C:\Program Files\SplunkUniversalForwarder\etc\apps\winevt\default. However, I do not see any security logs being forwarded to my indexer. Any ideas on what i'm doing wrong?

Tags (1)
0 Karma


Hi dyude @jonsantos ,
Can u try this,

On the deployment server create an inputs.conf file in the local diretory of winevt app( $SPLUNK_HOME/etc/deployment-apps/winevt/local/inputs.conf) and then try pushing the file.

disabled = 0
whitelist1 = EventCode=4625

An inputs.conf should get created in local directory of winevt app in the forwarder(C:\Program Files\SplunkUniversalForwarder\etc\apps\winevt\local\inputs.conf ). Check the permission of the inputs.conf file in forwarder.

Search the logs with the given index name(if any).

Let me know if this helps

0 Karma

New Member

I have configured my \etc\system\local\inputs.conf as follows:

disabled = 0

whitelist = EventCode="4625"

The above whitelist only forwards event ID 4625 log events to my collector. I did not have to blacklist any other event IDs.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!