- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to monitor certain events and all Error/Critical level events.
https://answers.splunk.com/answers/663023/how-to-monitor-wineventlogsystem-event-logs-for-cr.html
[WinEventLog://Application]
disabled = 0
index = wineventlog
interval = 60
whitelist = 1000, 1001, 11707, 11724, 104
whitelist2 = Type="^[1|2]"
Tried it with and without whitelist commented out (thinking it was overriding it). It isn't picking up the events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the correct stanza:
[WinEventLog://Application]
disabled = 0
index = wineventlog
whitelist1 = EventCode="1000|1001|11707|11724|104"
whitelist2 = Type="^[Error|Critical]"
1) Whitelists/blacklists can use only one format (standard or regular expression), not both at the same time: https://answers.splunk.com/answers/563657/wineventlog-whitelisting-by-sourcename-not-working.html
2) Type must be the enum name not the value. I originally thought it would be the value because that's how it appears in XML.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the correct stanza:
[WinEventLog://Application]
disabled = 0
index = wineventlog
whitelist1 = EventCode="1000|1001|11707|11724|104"
whitelist2 = Type="^[Error|Critical]"
1) Whitelists/blacklists can use only one format (standard or regular expression), not both at the same time: https://answers.splunk.com/answers/563657/wineventlog-whitelisting-by-sourcename-not-working.html
2) Type must be the enum name not the value. I originally thought it would be the value because that's how it appears in XML.
