Hi Frank,

Thanks for the speedy response, will doing this ignore all the unwanted Event IDs ?

Yes, it does.

Awesome, ill give this a try and see how it goes, ill post back in 15 / 20 mins after some events have had chance to filter through 🙂

Hey Frank,

So that doesn't seem to be working in that I'm still seeing other event ids other than the listed ones within the inputs.conf. any ideas ?

I've restarted the Splunk service, I've added the text in the inputs file as exampled above.

Can you share the actual inputs.conf you have?

I gave the same suggestion to a similar question recently and that was accepted to work: https://answers.splunk.com/answers/648353/how-to-limit-a-data-sent-to-indexers-to-only-with.html

Hey Frank, Sure.

So it did look like this -

[default]
host = wkstn01

whitelist = 4624,4647,4625,4778,4779,4800,4801,4802,4803

I have just changed it to this -

[default]
host = wkstn01

[WinEventLog://Security]
whitelist1 = 4624,4647,4625,4778,4779,4800,4801,4802,4803

Just testing this a little further now

Yeah, you want to add that specifically to the WinEventLog stanza, not the default stanza.

And no need to add that 1 if you just have 1 whitelist line.

Hey Frank, Thanks 🙂

So it just seems to be filtering the first event 4624 and im not seeing any of the others despite forcing the other events to happen..... very strange this filtering lark.

Ok, I think this is working now, thanks Frank your a star 🙂