Getting Data In

Monitor Windows Event Log for Critical/Error

tmontney
Builder

I want to monitor certain events and all Error/Critical level events.

https://answers.splunk.com/answers/663023/how-to-monitor-wineventlogsystem-event-logs-for-cr.html

[WinEventLog://Application]
disabled = 0
index = wineventlog
interval = 60
whitelist = 1000, 1001, 11707, 11724, 104
whitelist2 = Type="^[1|2]"

Tried it with and without whitelist commented out (thinking it was overriding it). It isn't picking up the events.

0 Karma
1 Solution

tmontney
Builder

This is the correct stanza:

[WinEventLog://Application]
disabled = 0
index = wineventlog
whitelist1 = EventCode="1000|1001|11707|11724|104"
whitelist2 = Type="^[Error|Critical]" 

1) Whitelists/blacklists can use only one format (standard or regular expression), not both at the same time: https://answers.splunk.com/answers/563657/wineventlog-whitelisting-by-sourcename-not-working.html
2) Type must be the enum name not the value. I originally thought it would be the value because that's how it appears in XML.

View solution in original post

0 Karma

tmontney
Builder

This is the correct stanza:

[WinEventLog://Application]
disabled = 0
index = wineventlog
whitelist1 = EventCode="1000|1001|11707|11724|104"
whitelist2 = Type="^[Error|Critical]" 

1) Whitelists/blacklists can use only one format (standard or regular expression), not both at the same time: https://answers.splunk.com/answers/563657/wineventlog-whitelisting-by-sourcename-not-working.html
2) Type must be the enum name not the value. I originally thought it would be the value because that's how it appears in XML.

0 Karma
Get Updates on the Splunk Community!

Transforming Financial Data into Fraud Intelligence

Every day, banks and financial companies handle millions of transactions, logins, and customer interactions ...

How to send events & findings from AWS to Splunk using Amazon EventBridge

Amazon EventBridge is a serverless service that uses events to connect application components together, making ...

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...