Getting Data In

Monitor Windows Event Log for Critical/Error

tmontney
Builder

I want to monitor certain events and all Error/Critical level events.

https://answers.splunk.com/answers/663023/how-to-monitor-wineventlogsystem-event-logs-for-cr.html

[WinEventLog://Application]
disabled = 0
index = wineventlog
interval = 60
whitelist = 1000, 1001, 11707, 11724, 104
whitelist2 = Type="^[1|2]"

Tried it with and without whitelist commented out (thinking it was overriding it). It isn't picking up the events.

0 Karma
1 Solution

tmontney
Builder

This is the correct stanza:

[WinEventLog://Application]
disabled = 0
index = wineventlog
whitelist1 = EventCode="1000|1001|11707|11724|104"
whitelist2 = Type="^[Error|Critical]" 

1) Whitelists/blacklists can use only one format (standard or regular expression), not both at the same time: https://answers.splunk.com/answers/563657/wineventlog-whitelisting-by-sourcename-not-working.html
2) Type must be the enum name not the value. I originally thought it would be the value because that's how it appears in XML.

View solution in original post

0 Karma

tmontney
Builder

This is the correct stanza:

[WinEventLog://Application]
disabled = 0
index = wineventlog
whitelist1 = EventCode="1000|1001|11707|11724|104"
whitelist2 = Type="^[Error|Critical]" 

1) Whitelists/blacklists can use only one format (standard or regular expression), not both at the same time: https://answers.splunk.com/answers/563657/wineventlog-whitelisting-by-sourcename-not-working.html
2) Type must be the enum name not the value. I originally thought it would be the value because that's how it appears in XML.

0 Karma
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...