Getting Data In

Monitor Windows Event Log for Critical/Error

Contributor

I want to monitor certain events and all Error/Critical level events.

https://answers.splunk.com/answers/663023/how-to-monitor-wineventlogsystem-event-logs-for-cr.html

[WinEventLog://Application]
disabled = 0
index = wineventlog
interval = 60
whitelist = 1000, 1001, 11707, 11724, 104
whitelist2 = Type="^[1|2]"

Tried it with and without whitelist commented out (thinking it was overriding it). It isn't picking up the events.

0 Karma
1 Solution

Contributor

This is the correct stanza:

[WinEventLog://Application]
disabled = 0
index = wineventlog
whitelist1 = EventCode="1000|1001|11707|11724|104"
whitelist2 = Type="^[Error|Critical]" 

1) Whitelists/blacklists can use only one format (standard or regular expression), not both at the same time: https://answers.splunk.com/answers/563657/wineventlog-whitelisting-by-sourcename-not-working.html
2) Type must be the enum name not the value. I originally thought it would be the value because that's how it appears in XML.

View solution in original post

0 Karma

Contributor

This is the correct stanza:

[WinEventLog://Application]
disabled = 0
index = wineventlog
whitelist1 = EventCode="1000|1001|11707|11724|104"
whitelist2 = Type="^[Error|Critical]" 

1) Whitelists/blacklists can use only one format (standard or regular expression), not both at the same time: https://answers.splunk.com/answers/563657/wineventlog-whitelisting-by-sourcename-not-working.html
2) Type must be the enum name not the value. I originally thought it would be the value because that's how it appears in XML.

View solution in original post

0 Karma