- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aimeedillon13
Engager
10-04-2017
02:53 AM
Trying to collect specific GPO event codes so we've created an app on the universal forwarder with the below in the inputs.conf file:
[WinEventLog://Application]
disabled = 0
current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 300
whitelist = 5126,5257,5312,5313,1069,1128,4098
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = wineventlog
renderXml=false
I can see the event logs on the server but can't see any in splunk. The wineventlog index already exists.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aimeedillon13
Engager
10-17-2017
04:07 AM
By changing the first line to the below I got what I was after:
[WinEventLog://Microsoft-Windows-GroupPolicy/Operational]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aimeedillon13
Engager
10-17-2017
04:07 AM
By changing the first line to the below I got what I was after:
[WinEventLog://Microsoft-Windows-GroupPolicy/Operational]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

richgalloway

SplunkTrust
10-17-2017
05:45 AM
@aimeedillon13, If your problem is resolved, please accept the answer to help future readers.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
