Trying to collect specific GPO event codes so we've created an app on the universal forwarder with the below in the inputs.conf file:
disabled = 0
current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 300
whitelist = 5126,5257,5312,5313,1069,1128,4098
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = wineventlog
I can see the event logs on the server but can't see any in splunk. The wineventlog index already exists.
By changing the first line to the below I got what I was after:
View solution in original post
@aimeedillon13, If your problem is resolved, please accept the answer to help future readers.