I want to filter specific security events logs but...

aqudoos · ‎06-07-2018

I have configure the input file residing under following path.C:\Program Files\SplunkUniversalForwarder\etc\system\local.

Configuration:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="5156" Message="*"

Requirement:

I want all security events logs other than event code 5156........Is my configuration wrong.

FrankVl · ‎06-07-2018

Just use blacklist = 5156. No need to complicate it the way you did.

aqudoos · ‎06-07-2018

HI Frank!

Thanks for reply.I am still receiving logs with event code 5156.Please review my updated configuration.

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist = EventCode=5156

aqudoos · ‎06-07-2018

I have tried this as well

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist =5156

FrankVl · ‎06-08-2018

Exactly. Whitelist and blacklist for WinEventLog can filter for specific eventIDs by just specifying the IDs (comma separated). No need to use Eventcode= etc. Just the code itself. Please try that, make sure to restart splunk after adjusting it.

I want to filter specific security events logs but my configuration didn't work.

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann