Getting Data In
Highlighted

What is the best method to index only set event ids from the security event log?

Communicator

Hey Guys,

So I'm setting up a lab for some testing, what I would like to do is index only set Windows Security Event IDs, what's the best and or easiest way of achieving this ? would it be best to black list everything and then whitelist only the events I want indexing ?

Any advice would be greatly appreciated

Cheers

0 Karma
Highlighted

Re: What is the best method to index only set event ids from the security event log?

Ultra Champion

I'd say just add the following to your inputs.conf:

whitelist = <comma separated list of event IDs you want to collect>

e.g.

whitelist = 2425,2426

View solution in original post

0 Karma
Highlighted

Re: What is the best method to index only set event ids from the security event log?

Communicator

Hi Frank,

Thanks for the speedy response, will doing this ignore all the unwanted Event IDs ?

0 Karma
Highlighted

Re: What is the best method to index only set event ids from the security event log?

Ultra Champion

Yes, it does.

0 Karma
Highlighted

Re: What is the best method to index only set event ids from the security event log?

Communicator

Awesome, ill give this a try and see how it goes, ill post back in 15 / 20 mins after some events have had chance to filter through 🙂

0 Karma
Highlighted

Re: What is the best method to index only set event ids from the security event log?

Communicator

Hey Frank,

So that doesn't seem to be working in that I'm still seeing other event ids other than the listed ones within the inputs.conf. any ideas ?

I've restarted the Splunk service, I've added the text in the inputs file as exampled above.

0 Karma
Highlighted

Re: What is the best method to index only set event ids from the security event log?

Ultra Champion

Can you share the actual inputs.conf you have?

I gave the same suggestion to a similar question recently and that was accepted to work: https://answers.splunk.com/answers/648353/how-to-limit-a-data-sent-to-indexers-to-only-with.html

0 Karma
Highlighted

Re: What is the best method to index only set event ids from the security event log?

Communicator

Hey Frank, Sure.

So it did look like this -

[default]
host = wkstn01

whitelist = 4624,4647,4625,4778,4779,4800,4801,4802,4803

I have just changed it to this -

[default]
host = wkstn01

[WinEventLog://Security]
whitelist1 = 4624,4647,4625,4778,4779,4800,4801,4802,4803

Just testing this a little further now

0 Karma
Highlighted

Re: What is the best method to index only set event ids from the security event log?

Ultra Champion

Yeah, you want to add that specifically to the WinEventLog stanza, not the default stanza.

And no need to add that 1 if you just have 1 whitelist line.

0 Karma
Highlighted

Re: What is the best method to index only set event ids from the security event log?

Communicator

Hey Frank, Thanks 🙂

So it just seems to be filtering the first event 4624 and im not seeing any of the others despite forcing the other events to happen..... very strange this filtering lark.

0 Karma