Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I want to filter specific security events logs but my configuration didn't work.

aqudoos
Explorer
‎06-07-2018 01:31 AM

I have configure the input file residing under following path.C:\Program Files\SplunkUniversalForwarder\etc\system\local.

Configuration:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="5156" Message="*"

Requirement:

I want all security events logs other than event code 5156........Is my configuration wrong.

0 Karma
Reply

FrankVl
Ultra Champion
‎06-07-2018 03:47 AM

Just use blacklist = 5156. No need to complicate it the way you did.

0 Karma
Reply

aqudoos
Explorer
‎06-07-2018 09:24 PM

HI Frank!

Thanks for reply.I am still receiving logs with event code 5156.Please review my updated configuration.

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist = EventCode=5156

0 Karma
Reply

aqudoos
Explorer
‎06-07-2018 09:25 PM

I have tried this as well

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist =5156

0 Karma
Reply

FrankVl
Ultra Champion
‎06-08-2018 12:09 AM

Exactly. Whitelist and blacklist for WinEventLog can filter for specific eventIDs by just specifying the IDs (comma separated). No need to use Eventcode= etc. Just the code itself. Please try that, make sure to restart splunk after adjusting it.

0 Karma
Reply
Get Updates on the Splunk Community!

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...