Getting Data In

How to select only "Security logs" from Windows?

mmcarty
New Member

Hello,
I installed a Universal Forwarder(UF) in a Windows servers box, I didn't select the customize options, I only did next and only specified my deployer, now after I am done, I would like to tell the windows servers that I only need Windows Security Logs (from the event viewer) to be forwarded to my Splunk instance, how do i do that? how do I change that?

Thank you!

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Look for inputs.conf in your Universal Forwarder. ($SPLUNK_HOME/etc/apps, should be under some app). The inputs.conf file (there can be many, find one which has [WinEventLog:.... type stanza). You can say disabled = 1 for all entries which you want to disable. Just keep disabled =0 for [WinEventLog:Security] stanza.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Look for inputs.conf in your Universal Forwarder. ($SPLUNK_HOME/etc/apps, should be under some app). The inputs.conf file (there can be many, find one which has [WinEventLog:.... type stanza). You can say disabled = 1 for all entries which you want to disable. Just keep disabled =0 for [WinEventLog:Security] stanza.

mmcarty
New Member

This worked! thank you very much!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...