Getting Data In

How to select only "Security logs" from Windows?

mmcarty
New Member

Hello,
I installed a Universal Forwarder(UF) in a Windows servers box, I didn't select the customize options, I only did next and only specified my deployer, now after I am done, I would like to tell the windows servers that I only need Windows Security Logs (from the event viewer) to be forwarded to my Splunk instance, how do i do that? how do I change that?

Thank you!

0 Karma
1 Solution

somesoni2
Revered Legend

Look for inputs.conf in your Universal Forwarder. ($SPLUNK_HOME/etc/apps, should be under some app). The inputs.conf file (there can be many, find one which has [WinEventLog:.... type stanza). You can say disabled = 1 for all entries which you want to disable. Just keep disabled =0 for [WinEventLog:Security] stanza.

View solution in original post

somesoni2
Revered Legend

Look for inputs.conf in your Universal Forwarder. ($SPLUNK_HOME/etc/apps, should be under some app). The inputs.conf file (there can be many, find one which has [WinEventLog:.... type stanza). You can say disabled = 1 for all entries which you want to disable. Just keep disabled =0 for [WinEventLog:Security] stanza.

mmcarty
New Member

This worked! thank you very much!

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...