So I'm setting up a lab for some testing, what I would like to do is index only set Windows Security Event IDs, what's the best and or easiest way of achieving this ? would it be best to black list everything and then whitelist only the events I want indexing ?
Any advice would be greatly appreciated
I'd say just add the following to your inputs.conf:
whitelist = <comma separated list of event IDs you want to collect>
whitelist = 2425,2426
Thanks for the speedy response, will doing this ignore all the unwanted Event IDs ?
Awesome, ill give this a try and see how it goes, ill post back in 15 / 20 mins after some events have had chance to filter through 🙂
So that doesn't seem to be working in that I'm still seeing other event ids other than the listed ones within the inputs.conf. any ideas ?
I've restarted the Splunk service, I've added the text in the inputs file as exampled above.
Can you share the actual inputs.conf you have?
I gave the same suggestion to a similar question recently and that was accepted to work: https://answers.splunk.com/answers/648353/how-to-limit-a-data-sent-to-indexers-to-only-with.html
Hey Frank, Sure.
So it did look like this -
host = wkstn01
whitelist = 4624,4647,4625,4778,4779,4800,4801,4802,4803
I have just changed it to this -
host = wkstn01
whitelist1 = 4624,4647,4625,4778,4779,4800,4801,4802,4803
Just testing this a little further now
Yeah, you want to add that specifically to the WinEventLog stanza, not the default stanza.
And no need to add that
1 if you just have 1 whitelist line.
Hey Frank, Thanks 🙂
So it just seems to be filtering the first event 4624 and im not seeing any of the others despite forcing the other events to happen..... very strange this filtering lark.