Getting Data In

Blacklisting Windows EventCode

New Member

Hello,

I have Heavy forwarders windows in 6.2 version who's collecting the event from many universal forwarder.
I need to blacklist some windows event code so I configured in inputs.conf

[WinEventLog://Security]
blacklist = 4634
disabled = 0

But the eventcode isn't filtered.
Can you help me to find the source of the problem?
Thank you.

Tags (2)
0 Karma

Builder

Here's one of my inputs that works.

 [WinEventLog://Security]
 disabled = 0
 start_from = oldest
 current_only = 0
 evt_resolve_ad_obj = 1
 checkpointInterval = 5
 blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
 blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
 blacklist3 = EventCode="5156" Message="Application Name:\s+(?!.*splunkd.exe)"
 index = idx_security
 renderXml=false

I think in your case, you can just add

blacklist1 = EventCode="4634"

Assuming that 'EventCode' is a valid field.