Recently we upgraded the Splunk version to 6.3.0
We are trying to filter certain event codes from Security and System LogNames and it is not filtering.
[WinEventLog://Security]
disabled = 0
evt_resolve_ad_obj = 0
blacklist1 = 4656,4689,4688
[WinEventLog://System]
disabled = 0
evt_resolve_ad_obj = 0
blacklist1 = 7036,5009,98,7045
Updated Inputs.Conf under ....\etc\system\local. This did not work.
Then updated Inputs.Conf under ....\etc\apps\SplunkLightForwarder\default. This did not work
What am I missing here? Please advise.
Thanks
Anand
According to the inputs.conf docs, you need to use the unnumbered blacklist
key to supply a list of event codes:
* The base unumbered whitelist and blacklist support two formats, a list of integer event IDs, and a list of key=regex pairs.
* Numbered whitelist/blacklist settings such as whitelist1 do not support the Event ID list format.
According to the inputs.conf docs, you need to use the unnumbered blacklist
key to supply a list of event codes:
* The base unumbered whitelist and blacklist support two formats, a list of integer event IDs, and a list of key=regex pairs.
* Numbered whitelist/blacklist settings such as whitelist1 do not support the Event ID list format.
After I modified the inputs.conf on the Splunk Forwarder client, it started to work. Modify the local inputs.conf and that should work.
The local inputs.conf on the serve side still did not work.
Thanks
Anand
I tried that and it is still not working. Is there any other thing that I am missing?
Thanks
Anand