Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure inputs.conf to blacklist Windows Event Logs on indexer?

kpavan
Path Finder
‎09-10-2014 12:56 AM

Hi,

I below is the inputs.conf which i have configured on my indexer, but it is not blocking anything. is this is correct format or not. I need to block it on indexer level since i have more forwarders. Please let me know the correct configuration.

[WinEventLog://Application]
disabled = 1
start_from = newest
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist = *

Thanks!

0 Karma
Reply

ppablo
Retired
‎09-10-2014 01:21 AM

Hi @kpavan

From this blog post on filtering Windows Event Logs with blacklist, it seems like you can only filter with inputs.conf on the forwarder.

http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/

The author mentions in the comment thread that they do have an earlier blog post on filtering at the indexer level, but I didn't have any luck finding that post specific to what you're looking for. If this doesn't resolve your issue, hopefully a configuration expert on filtering can chime in.

0 Karma
Reply

kpavan
Path Finder
‎09-10-2014 04:27 AM

is there a way to block the specific host/ip which sending entire logs on indexer.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎09-10-2014 02:16 AM

If you want it to be filtered on the indexer follow this docs about Filter event data and send to queues. This way you can nullQueue unneeded events.

0 Karma
Reply

kpavan
Path Finder
‎09-10-2014 02:11 AM

Thanks for your quick response!

Actually it did worked in UF. Since I have too many UF's, so i would like to filter on indexer level.

0 Karma
Reply

kpavan
Path Finder
‎09-10-2014 12:59 AM

i did configured the same on UF inputs.conf it is blocking, but when i applied on indexer it is not

[WinEventLog://System]
disabled = 0
start_from = newest
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist = 7036

0 Karma
Reply

ITICSNORTH
Explorer
‎11-21-2014 07:20 AM

even it's not working on UF to 😞

0 Karma
Reply
Get Updates on the Splunk Community!

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened Audit Trail v2 wasn’t written in isolation—it was shaped by your voices. In ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...