Re: Can I forward only success logs of security lo...

05500 · ‎05-21-2015

Once we forward security logs for windows event log using Universal forwarder from each servers to splunk server,
Can I forward only success logs?

miteshvohra · ‎05-25-2015

You can use Whitelist stanza in your inputs.conf. You can add the keywords/event-codes that are part of the events you wish to capture.

Here is the doc link for detailed explanation.

Mitesh.

joshd · ‎05-21-2015

What you want to look at is using the whitelist and blacklist features within inputs.conf on the universal forwarder to only capture the specific Windows EventCode to meet your needs.

Details on the inputs configuration here: http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata#Use_inputs.conf_to_config...

Splunk blog post with real examples here: http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

05500 · ‎05-24-2015

Can I control which part of file for forwarding only success security log of event viewer?
Can I setup on source server with installed universal forwarder or destination server (Splunk server)?
I want to know detail settings.

Can I forward only success logs of security log for windows using universal forwarder?

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?

Can I forward only success logs of security log for windows using universal forwarder?

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2