Getting Data In

Is it possible to add an item to the whitelist in just one specific client in a server class?

JoanHorikawa
New Member

I have a server class (wineventlog) that has a whitelist in the inputs.conf. It looks like this:

[WinEventLog://Security]
disabled = 0
index = default
whitelist=4618,4621,4624,4625,4634,4649,4675,4692,4693,4706,4719,4720,4722-4735,4737,4738,4740,4744-4762,4765-4766,4794,4897,4964,1102,4648,5038,6281

This applies to all 14 clients in this server class. However, I want to add "2000" to the whitelist, but I need it in only one client out of the 14. Is this possible?

0 Karma

spayneort
Contributor

Try using advanced filtering. Create a second whitelist that filters based on EventCode and ComputerName. Set ComputerName to the name of the client that you want to log the event.

[WinEventLog://Security]
disabled = 0
index = default
whitelist=4618,4621,4624,4625,4634,4649,4675,4692,4693,4706,4719,4720,4722-4735,4737,4738,4740,4744-4762,4765-4766,4794,4897,4964,1102,4648,5038,6281
whitelist1=EventCode="2000" ComputerName="insert name of client here"

Or you could create a new app that contains whitelist1 for event code 2000, and only apply it to the single client.

[WinEventLog://Security]
whitelist1=EventCode="2000"

0 Karma

somesoni2
Revered Legend

Can't think of any native method, but you can try these work arounds

  1. Create two copy of the app, one with current whitelist and one with additional 2000 to whitelist. Deploy current one to 13 servers and new (with additional whitelist) to that 1 server [probably easy]
  2. Add 2000 to whitelist in the current app. On indexer side, create a transform to route the event to nullQueue if the host is not that one client (more complex)
0 Karma

lycollicott
Motivator

I would also do option 1.

0 Karma

jplumsdaine22
Influencer

I'd vote for option 1 - although if you don't already know about the nullQueue then do option 2 as it will be a useful exercise

0 Karma

woodcock
Esteemed Legend

Not that I can think of.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...