Getting Data In
Highlighted

Is it possible to add an item to the whitelist in just one specific client in a server class?

New Member

I have a server class (wineventlog) that has a whitelist in the inputs.conf. It looks like this:

[WinEventLog://Security]
disabled = 0
index = default
whitelist=4618,4621,4624,4625,4634,4649,4675,4692,4693,4706,4719,4720,4722-4735,4737,4738,4740,4744-4762,4765-4766,4794,4897,4964,1102,4648,5038,6281

This applies to all 14 clients in this server class. However, I want to add "2000" to the whitelist, but I need it in only one client out of the 14. Is this possible?

0 Karma
Highlighted

Re: Is it possible to add an item to the whitelist in just one specific client in a server class?

Esteemed Legend

Not that I can think of.

0 Karma
Highlighted

Re: Is it possible to add an item to the whitelist in just one specific client in a server class?

SplunkTrust
SplunkTrust

Can't think of any native method, but you can try these work arounds

  1. Create two copy of the app, one with current whitelist and one with additional 2000 to whitelist. Deploy current one to 13 servers and new (with additional whitelist) to that 1 server [probably easy]
  2. Add 2000 to whitelist in the current app. On indexer side, create a transform to route the event to nullQueue if the host is not that one client (more complex)
0 Karma
Highlighted

Re: Is it possible to add an item to the whitelist in just one specific client in a server class?

Influencer

I'd vote for option 1 - although if you don't already know about the nullQueue then do option 2 as it will be a useful exercise

0 Karma
Highlighted

Re: Is it possible to add an item to the whitelist in just one specific client in a server class?

Motivator

I would also do option 1.

0 Karma
Highlighted

Re: Is it possible to add an item to the whitelist in just one specific client in a server class?

Contributor

Try using advanced filtering. Create a second whitelist that filters based on EventCode and ComputerName. Set ComputerName to the name of the client that you want to log the event.

[WinEventLog://Security]
disabled = 0
index = default
whitelist=4618,4621,4624,4625,4634,4649,4675,4692,4693,4706,4719,4720,4722-4735,4737,4738,4740,4744-4762,4765-4766,4794,4897,4964,1102,4648,5038,6281
whitelist1=EventCode="2000" ComputerName="insert name of client here"

Or you could create a new app that contains whitelist1 for event code 2000, and only apply it to the single client.

[WinEventLog://Security]
whitelist1=EventCode="2000"

0 Karma