i need only two users( nacuser,paloaltouid) data who failed to login to the servers to be indexed in splunk cloud .. please let me know whether the below configuration is correct or not.
and please provide me the exact configuration to index failed logs for those specific users.
inputs.conf
[WinEventLog://Security]
disabled = 0
whitelist1 = 4624
whitelist2 = "user = nacuser,paloaltouid"
The Key value pair for regular expression starts with upper case. In this case it should be User and not user.
whitelist2= User="nacuser"
whitelist3= User="paloaltouid"
OR
whitelist2= User="^nacuser$"
whitelist3= User="^paloaltouid$"
Further, if you have more than one values of the same key to be filtered, you should define separate Whitelists, since only the later will be used otherwise. Refer to the following is snippet from Splunk Documentation for the same:
Note: You cannot specify an entry that has more than one key/regular expression set that references the same key. If, for example, you specify:
whitelist = EventCode="^1([0-5])$" EventCode="^2([0-5])$"
Splunk Enterprise ignores the first set and only attempts to include events that match the second set. In this case, only events that contain an EventCode between 20 and 25 match. Events that contain an EventCode between 10 and 15 do not match. Only the last set in the entry ever matches. To resolve this problem, specify two separate entries in the stanza:
whitelist = EventCode="^1([0-5])$"
whitelist1 = EventCode="^2([0-5])$"
[WinEventLog://Security]
disabled = 0
index= activedirectory
whitelist = 4624,4625
whitelist1= User="^nacuser$"
whitelist2= User="^paloaltouid$"
i have used the same inputs.conf configaration , bit i haven't seen any filtered events indexing to splunk.
But when i exclude whitelist1,whitelist2 i can see all the events indexing to splunk.
Please let me know if i have to make any edits.
Was result the same for the following as well?
whitelist2= User="nacuser"
whitelist3= User="paloaltouid"
yes, stanzas where not indexing
can you try replacing double quotes with percent sign? Also try using just one Whitelist at a time.
If 4624,4625 are EventCodes, and you just keep whitelist=4624,4625 whether you see correct events or not. Similarly for just whitelist1 as whitelist and finally just for whitelist2 as whitelist.
whitelist1= User=%^nacuser$%
whitelist2= User=%^paloaltouid$%
[WinEventLog://Security]
disabled = 0
index = activedirectory
whitelist = 4624,4625
whitelist = User=%^nacuser$%
whitelist = User=%^paloaltouid$%
i have used this stanza.. no events seen... User whitelist are not extracting any data