Getting Data In
Highlighted

I want to filter specific security events logs but my configuration didn't work.

Explorer

I have configure the input file residing under following path.C:\Program Files\SplunkUniversalForwarder\etc\system\local.

Configuration:

[WinEventLog://Security]
disabled = 0
startfrom = oldest
current
only = 1
evtresolvead_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="5156" Message="*"

Requirement:

I want all security events logs other than event code 5156........Is my configuration wrong.

0 Karma
Highlighted

Re: I want to filter specific security events logs but my configuration didn't work.

Ultra Champion

Just use blacklist = 5156. No need to complicate it the way you did.

0 Karma
Highlighted

Re: I want to filter specific security events logs but my configuration didn't work.

Explorer

HI Frank!

Thanks for reply.I am still receiving logs with event code 5156.Please review my updated configuration.

[WinEventLog://Security]
disabled = 0
startfrom = oldest
current
only = 0
evtresolvead_obj = 1
checkpointInterval = 5
blacklist = EventCode=5156

0 Karma
Highlighted

Re: I want to filter specific security events logs but my configuration didn't work.

Explorer

I have tried this as well

[WinEventLog://Security]
disabled = 0
startfrom = oldest
current
only = 0
evtresolvead_obj = 1
checkpointInterval = 5
blacklist =5156

0 Karma
Highlighted

Re: I want to filter specific security events logs but my configuration didn't work.

Ultra Champion

Exactly. Whitelist and blacklist for WinEventLog can filter for specific eventIDs by just specifying the IDs (comma separated). No need to use Eventcode= etc. Just the code itself. Please try that, make sure to restart splunk after adjusting it.

0 Karma