Re: XML - WinEvent Whitelist

cstewart28 · ‎12-12-2019

I have see other example, but non using XML for the whitelist. I only have a 2GB license and I have to go very slow at what I collect and add in event ID until I reach close to the max. I look at my index and I see a bunch of other event ids, what did I do wrong?

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist= $XmlRegex= EventCode="106, 4624, 4625"
renderXml = true
index = xmlwineventlog

BDein · ‎10-25-2022

@richgalloway your whitelist = 106,4624,4625 will not work as long renderXml = true according to the documentation.

With renderXml = true you need to use: $XmlRegex

woodcock · ‎12-14-2019

Here are the docs:
https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_blacklists_a...
Try this (assuming the events have the strings Eventcode=106, Eventcode=4624, andEventcode=4625.

whitelist= $XmlRegex= EventCode=(106|4624|4625)

richgalloway · ‎12-12-2019

Not sure, but I think whitelist = 106,4624,4625 should work.

---
If this reply helps you, Karma would be appreciated.

XML - WinEvent Whitelist

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Automatic Discovery Part 2: Setup and Best Practices

Are you a member of the Splunk Community?

XML - WinEvent Whitelist

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Automatic Discovery Part 2: Setup and Best Practices