Getting Data In
Highlighted

How to filter windows event logs in forwarder based on event codes.

Engager

Hi,

I am trying to pull event logs from remote machines using universal forwarders. I have done the configuration in the inputs.conf files.
below is the configuration in my inputs.conf file.
[WinEventLog://Application]
disabled = 0
index = win_events
crcSalt = SOURCE

[WinEventLog://Security]
disabled = 0
index = win_events
crcSalt = SOURCE

[WinEventLog://System]
disabled = 0
index = win_events
crcSalt = SOURCE

[WinEventLog://Setup]
disabled = 0
index = win_events
crcSalt = SOURCE

Now I dont want all event codes from the logs. I would require only 4800 and 4801.
is there any way in which only the events related to the two events can be forwarded to an index.

Thanks

0 Karma
Highlighted

Re: How to filter windows event logs in forwarder based on event codes.

SplunkTrust
SplunkTrust
0 Karma