Getting Data In

Blacklisting Windows EventCode

New Member


I have Heavy forwarders windows in 6.2 version who's collecting the event from many universal forwarder.
I need to blacklist some windows event code so I configured in inputs.conf

blacklist = 4634
disabled = 0

But the eventcode isn't filtered.
Can you help me to find the source of the problem?
Thank you.

Tags (2)
0 Karma


Here's one of my inputs that works.

 disabled = 0
 start_from = oldest
 current_only = 0
 evt_resolve_ad_obj = 1
 checkpointInterval = 5
 blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
 blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
 blacklist3 = EventCode="5156" Message="Application Name:\s+(?!.*splunkd.exe)"
 index = idx_security

I think in your case, you can just add

blacklist1 = EventCode="4634"

Assuming that 'EventCode' is a valid field.

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!