Solved: How to select only "Security logs" from Windows?

mmcarty · ‎03-06-2018

Hello,
I installed a Universal Forwarder(UF) in a Windows servers box, I didn't select the customize options, I only did next and only specified my deployer, now after I am done, I would like to tell the windows servers that I only need Windows Security Logs (from the event viewer) to be forwarded to my Splunk instance, how do i do that? how do I change that?

Thank you!

somesoni2 · ‎03-06-2018

Look for inputs.conf in your Universal Forwarder. ($SPLUNK_HOME/etc/apps, should be under some app). The inputs.conf file (there can be many, find one which has [WinEventLog:.... type stanza). You can say disabled = 1 for all entries which you want to disable. Just keep disabled =0 for [WinEventLog:Security] stanza.

View solution in original post

somesoni2 · ‎03-06-2018

Look for inputs.conf in your Universal Forwarder. ($SPLUNK_HOME/etc/apps, should be under some app). The inputs.conf file (there can be many, find one which has [WinEventLog:.... type stanza). You can say disabled = 1 for all entries which you want to disable. Just keep disabled =0 for [WinEventLog:Security] stanza.

mmcarty · ‎03-06-2018

This worked! thank you very much!

How to select only "Security logs" from Windows?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation