Trying to collect specific GPO event codes so we've created an app on the universal forwarder with the below in the inputs.conf file:
[WinEventLog://Application] disabled = 0 current_only = 1 evt_resolve_ad_obj = 1 checkpointInterval = 300 whitelist = 5126,5257,5312,5313,1069,1128,4098 blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)" index = wineventlog renderXml=false
I can see the event logs on the server but can't see any in splunk. The wineventlog index already exists.