Hello, everybody!
I have some question.
We collect WMI event log security. So sourcetype in splunk is "wmi:eventlog:security".
How I can filter events by EventCode=5145.
How I can use "blacklist" in inputs.conf? Or I must use props.conf and transform.conf? What stanza should I create them?
P.S. I have splunk 6.1.1.
Tanks.
In Splunk 6.2.3 release stanza should be [WinEventLog:Security] instead of [WMI:WinEventLog:Security]
For more for more details about the stanza settings in inputs.conf, please refer to Splunk Documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/MonitorWindowsdata
In Splunk 6.2.3 release stanza should be [WinEventLog:Security] instead of [WMI:WinEventLog:Security]
For more for more details about the stanza settings in inputs.conf, please refer to Splunk Documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/MonitorWindowsdata
Put this under the secuity log WMI stanza in inputs.conf:
blacklist = 5145
Should do the trick.
I do this, but i have error, that unknown parametr in stanza WMI.
Any idea, how i should filter events using props and transforms conf-files?