- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to whitelist Windows Event IDs?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to whitelist Windows Event IDs?
I need assistance with whitelisting as I can’t make it work. I’m running the free trial version 9.0.0 of Splunk Enterprise. I have 1 Receiver (on a CentOS VM), and some Windows and CentOS systems (VM’s and physical devices) with the Universal Forwarder installed. I’m getting data in from all my systems. On the Windows systems I only need to see data from select Windows Security Log Events and would like to exclude all other log data/events. I’ve read Splunk’s documentation about whitelisting and I guess I just don’t understand what I’m reading. It doesn’t seem to be working as my license usage hasn’t decreased and/or I don’t know how to verify if it’s working.
I created an inputs.conf file in the following location: /etc/system/local/ on the Universal Forwarders and its content is:
[WinEventLog://Security]
whitelist=1100,1101,1102,4616,4624,4625,4634,4647,4648,4657,4704,4705,4719,4720,4722,4723,4724,4725,4726,4740,4767,4776,4777,4616
Is this correct?
Do I have to put the statement disabled = 0 or is it implied?
I haven’t configured anything through Splunk web, do I need to do that?
Where do I save the inputs.conf file? On the Receiver only, on the Universal Forwarders only, or on both?
Do I need to include all the statements from the default inputs.conf file in my new one?
Besides decreased license usage, is there a way to know if my whitelist is working?
Thank you for any and all help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @lutzmw,
at first I hint to read https://docs.splunk.com/Documentation/Splunk/latest/Data/AboutWindowsdataandSplunk and search on the YouTube Splunk Channel some video that describes how to ingest windows data.
Anyway, at first, don't create any inputs.conf, but download and install both on Splunk Enterprise and Windows clients the Splunk_TA-Windows (https://splunkbase.splunk.com/app/742/) that was created just to input and parse windows logs.
You have only to enable (on the Forwarders) the Wineventlog:Security input: you can do this copying inputs.conf from default to local folder and changing (in local inputs.conf) disabled from 1 to 0 in the wineventlog:security stanza, and restart Splunk on forwarders at the end.
In this way, you'll have all wineventlogs correctly indexed and parsed.
Then, if you want to filter wineventlogs:security logs, you can use (in the Forwarder's local inputs.conf) whitelist or blacklist: you have to add a row to indicate the EventCodes to blacklist or whitelist.
For more infos about this see at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Giuseppe,
Thanks for the response. I haven't had a chance to try your solution but I should be able to try it soon. At the bottom of the default inputs.conf file there's a section that I don't understand. It says # default single instance modular input restarts. Can you explain what this is? It also has a [WinEventLog] entry. Is this where I make the change that's needed or do I place my whitelist further up in the file. Thanks again
Mike
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @lutzmw,
sorry but I download the latest version of this TA and I didn't find the section you mentioned!
could you share it?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @lutzmw,
we're speaking of two different things:
I'm speaking of the last Splunk Add-On for Microsoft Windows (https://splunkbase.splunk.com/app/742/) and its last release is 8.5;
instead you're speaking of the inputs.conf in $SPLUNK_HOME/etc/system/default, in other words the default inputs.conf of Splunk.
This means that your file is the inputs.conf that you find by default in Splunk and the inputs you're speaking are the modular inputs present by default in Splunk and that you can see in the GUI.
Ciao.
Giuseppe
New Case Study Shows the Value of Partnering with Splunk Academic Alliance
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
