Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: What Windows Event Codes are generally accepta...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a good reference list or someone that can post what ways Windows Event Logs are being filtered? I'm particularly interested in those from a security perspective. For example, I get a flood of successful logins on an IIS web server from the IUSR account, which is of little value to me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can filter using multiple values or one value.
See this answer for an example: http://answers.splunk.com/questions/577/how-do-you-filter-windows-event-log
I filter out EventCodes that are irrelevant. This site gives you a down and dirty look at WindowsEventLog:
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
The webinars in the site are pretty helpful as well. Once you've built your list of events to filter, apply them on your splunk instance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk 6 makes this easier now with blacklists for windows inputs.
[WinEventLog:Security]
disabled = false
blacklist = 5156-5157
It also makes suppressing the message payload much easier.
[WinEventLog:Security]
disabled = 0
suppress_text = 1
http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This does not work on Universal Forwarders, correct?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can filter using multiple values or one value.
See this answer for an example: http://answers.splunk.com/questions/577/how-do-you-filter-windows-event-log
I filter out EventCodes that are irrelevant. This site gives you a down and dirty look at WindowsEventLog:
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
The webinars in the site are pretty helpful as well. Once you've built your list of events to filter, apply them on your splunk instance.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
