Solved: Monitor Windows Event Log for Critical/Error

tmontney · ‎03-25-2020

I want to monitor certain events and all Error/Critical level events.

[WinEventLog://Application]
disabled = 0
index = wineventlog
interval = 60
whitelist = 1000, 1001, 11707, 11724, 104
whitelist2 = Type="^[1|2]"

Tried it with and without whitelist commented out (thinking it was overriding it). It isn't picking up the events.

tmontney · ‎05-06-2020

This is the correct stanza:

[WinEventLog://Application]
disabled = 0
index = wineventlog
whitelist1 = EventCode="1000|1001|11707|11724|104"
whitelist2 = Type="^[Error|Critical]"

1) Whitelists/blacklists can use only one format (standard or regular expression), not both at the same time: https://answers.splunk.com/answers/563657/wineventlog-whitelisting-by-sourcename-not-working.html
2) Type must be the enum name not the value. I originally thought it would be the value because that's how it appears in XML.

tmontney · ‎05-06-2020

This is the correct stanza:

[WinEventLog://Application]
disabled = 0
index = wineventlog
whitelist1 = EventCode="1000|1001|11707|11724|104"
whitelist2 = Type="^[Error|Critical]"

1) Whitelists/blacklists can use only one format (standard or regular expression), not both at the same time: https://answers.splunk.com/answers/563657/wineventlog-whitelisting-by-sourcename-not-working.html
2) Type must be the enum name not the value. I originally thought it would be the value because that's how it appears in XML.

Monitor Windows Event Log for Critical/Error