Getting Data In

What is the best method to index only set event ids from the security event log?

AaronMoorcroft
Communicator

Hey Guys,

So I'm setting up a lab for some testing, what I would like to do is index only set Windows Security Event IDs, what's the best and or easiest way of achieving this ? would it be best to black list everything and then whitelist only the events I want indexing ?

Any advice would be greatly appreciated

Cheers

0 Karma
1 Solution

FrankVl
Ultra Champion

I'd say just add the following to your inputs.conf:

whitelist = <comma separated list of event IDs you want to collect>

e.g.

whitelist = 2425,2426

View solution in original post

0 Karma

FrankVl
Ultra Champion

I'd say just add the following to your inputs.conf:

whitelist = <comma separated list of event IDs you want to collect>

e.g.

whitelist = 2425,2426
0 Karma

AaronMoorcroft
Communicator

Hi Frank,

Thanks for the speedy response, will doing this ignore all the unwanted Event IDs ?

0 Karma

FrankVl
Ultra Champion

Yes, it does.

0 Karma

AaronMoorcroft
Communicator

Awesome, ill give this a try and see how it goes, ill post back in 15 / 20 mins after some events have had chance to filter through 🙂

0 Karma

AaronMoorcroft
Communicator

Hey Frank,

So that doesn't seem to be working in that I'm still seeing other event ids other than the listed ones within the inputs.conf. any ideas ?

I've restarted the Splunk service, I've added the text in the inputs file as exampled above.

0 Karma

FrankVl
Ultra Champion

Can you share the actual inputs.conf you have?

I gave the same suggestion to a similar question recently and that was accepted to work: https://answers.splunk.com/answers/648353/how-to-limit-a-data-sent-to-indexers-to-only-with.html

0 Karma

AaronMoorcroft
Communicator

Hey Frank, Sure.

So it did look like this -

[default]
host = wkstn01

whitelist = 4624,4647,4625,4778,4779,4800,4801,4802,4803

I have just changed it to this -

[default]
host = wkstn01

[WinEventLog://Security]
whitelist1 = 4624,4647,4625,4778,4779,4800,4801,4802,4803

Just testing this a little further now

0 Karma

FrankVl
Ultra Champion

Yeah, you want to add that specifically to the WinEventLog stanza, not the default stanza.

And no need to add that 1 if you just have 1 whitelist line.

0 Karma

AaronMoorcroft
Communicator

Hey Frank, Thanks 🙂

So it just seems to be filtering the first event 4624 and im not seeing any of the others despite forcing the other events to happen..... very strange this filtering lark.

0 Karma

AaronMoorcroft
Communicator

Ok, I think this is working now, thanks Frank your a star 🙂

0 Karma