Solved: Re: How to select only "Security logs" from Windo...

mmcarty · ‎03-06-2018

Hello,
I installed a Universal Forwarder(UF) in a Windows servers box, I didn't select the customize options, I only did next and only specified my deployer, now after I am done, I would like to tell the windows servers that I only need Windows Security Logs (from the event viewer) to be forwarded to my Splunk instance, how do i do that? how do I change that?

Thank you!

somesoni2 · ‎03-06-2018

Look for inputs.conf in your Universal Forwarder. ($SPLUNK_HOME/etc/apps, should be under some app). The inputs.conf file (there can be many, find one which has [WinEventLog:.... type stanza). You can say disabled = 1 for all entries which you want to disable. Just keep disabled =0 for [WinEventLog:Security] stanza.

View solution in original post

somesoni2 · ‎03-06-2018

Look for inputs.conf in your Universal Forwarder. ($SPLUNK_HOME/etc/apps, should be under some app). The inputs.conf file (there can be many, find one which has [WinEventLog:.... type stanza). You can say disabled = 1 for all entries which you want to disable. Just keep disabled =0 for [WinEventLog:Security] stanza.

mmcarty · ‎03-06-2018

This worked! thank you very much!

How to select only "Security logs" from Windows?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Join the Conversation