Getting Data In

How to monitor [WinEventLog://System] event logs for "Critical" or "Error" event logs only (Level 1 and 2)

Builder

Is there any way to monitor System Event Viewer logs ( [WinEventLog://System] ) for Event Level set to "Critical" and/or "Error" only (Level =1 or 2) ?

alt text

0 Karma

Path Finder

It appears Splunk should allow you to whitelist based on Type, which is the field/key where the level is sent.

I would start with:
whitelist = Type="^[1|2]"

references:
http://docs.splunk.com/Documentation/Splunk/7.1.1/Data/MonitorWindowseventlogdata#Create_advanced_fi...
https://msdn.microsoft.com/en-us/library/aa394226(v=vs.85).aspx

Builder

@danielransell , confirmed. I was able to test it yesterday: used "whitelist = Type = "Error" " in our test environment

0 Karma

Path Finder

I think you want to look at whitelisting for this. I have blacklisted certain event codes when ingesting security logs - I believe you can also perform whitelisting, that is on ingest events that meet a particular criteria.

0 Karma

Builder

@danielransell we whitelist Event Codes , for example. But cannot find any mentioning on how to whitelist Levels (Critical, Error)

0 Karma

Splunk Employee
Splunk Employee

To whitelist levels, you would need to create a whitelist regex. you should be able to mix event IDs and regex with separate lines like so:

whitelist1 = <list of eventIDs>
whitelist2 = key=regex [key=regex]
0 Karma

Builder

@ jconger , it's not clear to me what you mean. can you , please, give more details or examples?
We are trying to get errors no matter what event ID is.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!