Solved: Re: How to select only "Security logs" from Windo...

mmcarty · ‎03-06-2018

Hello,
I installed a Universal Forwarder(UF) in a Windows servers box, I didn't select the customize options, I only did next and only specified my deployer, now after I am done, I would like to tell the windows servers that I only need Windows Security Logs (from the event viewer) to be forwarded to my Splunk instance, how do i do that? how do I change that?

Thank you!

somesoni2 · ‎03-06-2018

Look for inputs.conf in your Universal Forwarder. ($SPLUNK_HOME/etc/apps, should be under some app). The inputs.conf file (there can be many, find one which has [WinEventLog:.... type stanza). You can say disabled = 1 for all entries which you want to disable. Just keep disabled =0 for [WinEventLog:Security] stanza.

View solution in original post

somesoni2 · ‎03-06-2018

Look for inputs.conf in your Universal Forwarder. ($SPLUNK_HOME/etc/apps, should be under some app). The inputs.conf file (there can be many, find one which has [WinEventLog:.... type stanza). You can say disabled = 1 for all entries which you want to disable. Just keep disabled =0 for [WinEventLog:Security] stanza.

mmcarty · ‎03-06-2018

This worked! thank you very much!

How to select only "Security logs" from Windows?

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

How to select only "Security logs" from Windows?

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience