I have a server class (wineventlog) that has a whitelist in the inputs.conf. It looks like this:
[WinEventLog://Security]
disabled = 0
index = default
whitelist=4618,4621,4624,4625,4634,4649,4675,4692,4693,4706,4719,4720,4722-4735,4737,4738,4740,4744-4762,4765-4766,4794,4897,4964,1102,4648,5038,6281
This applies to all 14 clients in this server class. However, I want to add "2000" to the whitelist, but I need it in only one client out of the 14. Is this possible?
Try using advanced filtering. Create a second whitelist that filters based on EventCode and ComputerName. Set ComputerName to the name of the client that you want to log the event.
[WinEventLog://Security]
disabled = 0
index = default
whitelist=4618,4621,4624,4625,4634,4649,4675,4692,4693,4706,4719,4720,4722-4735,4737,4738,4740,4744-4762,4765-4766,4794,4897,4964,1102,4648,5038,6281
whitelist1=EventCode="2000" ComputerName="insert name of client here"
Or you could create a new app that contains whitelist1 for event code 2000, and only apply it to the single client.
[WinEventLog://Security]
whitelist1=EventCode="2000"
Can't think of any native method, but you can try these work arounds
I would also do option 1.
I'd vote for option 1 - although if you don't already know about the nullQueue then do option 2 as it will be a useful exercise
Not that I can think of.