- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to filter Windows Security events by chang...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to filter Windows Security events by changing inputs conf
I have made the following changes in my inputs.conf. However no luck
Could anyone help me with this?
[WinEventLog:Security]
ignoreOlderThan=24h
recursive=false
disabled=false
whitelist=1100-1102,1104,1105,1108,4608-4612,4614-4616,4618,4621,4622,4624-4626,4634,4646-4668,4670-4673,4675,4688-4702,4704-4707,4709-4720,4722-4735,4737-4794,4797,4800-4803,4816-4824,4864-4900,4902,4904-4913,4928-4937,4944-4954,4956-4958,4960-4965,4976-4985,5024,5025,5027-5035,5037-5051,5056-5071,5120-5127,5136-5159,5168,5376-5378,5440-5444,5446-5453,5456-5468,5471-5474,5477-5480,5483-5485,5632,5633,5712,5888-5890,6144,6145,6272-6281,6400-6409
index=indexname
sourcetype=sourcetypename
However the above whitelist filter did not work at all. Specifically I dont want Eventcode 4674 events. So I have omitted it in whitelist.But events with 4674 are not getting filtered.
Possible tries:
Do I need to specify blacklist?
Do I mention like this "Eventcode=4566" ?
Do I use anyother stanza to achieve this?
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As you've not mentioned it, did you check that the UF installed on that machine is actually version 6?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found my problem.. between events I had one entry with two commas in a row, which made it not work.. all good.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks for the reply.
Yes. I have tried both whitelist and blacklist.
Still the filter did not work.
I have also tried to include evt_resolve_ad_obj = 1 in my inputs.conf.
However that also doesn't seem to work.
Could anyone please suggest any other possibilities to filter events based on event codes?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same problem.. whitelisting doesn't work. I would think that if you whitelist certain events everything else is blocked but not working for me either.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello there,
Have you tried using blacklist instead of whitelist?
There's a good blog you can read here: http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
