Getting Data In

What is the proper syntax to whitelist a single EventCode from wineventlog security with a UF ?

Glasses
Contributor

Hi - 

Not having any luck testing or finding the answer in documentation so hopefully someone can confirm.

 

I want to collect a single EventCode=4624 from a Windows Server with a UF (v 8.0.6).

I am using an inputs.conf stanza like this>>>

#2021.4.19
[WinEventLog://Security]
disabled = 0
index=foo
whitelist1 = EventCode=4624

I am still collecting all wineventlog security EventCodes.

Any ideas?

TY!

0 Karma
1 Solution

Glasses
Contributor

Actually the issue was something with the UF not restarting splunkd.   

 

This stanza does work now... 

[WinEventLog://Security]
disabled = 0
index=foo
whitelist = 4624

View solution in original post

0 Karma

Glasses
Contributor

Even tried >>>

 

whitelist = 4624

 

no luck 😞

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Glasses,

whitelist and blacklist require regexes, so, please, try:

whitelist1 = EventCode\=4624

then, are your logs in json or normal format? if in json the regex is different.

Ciao.

Giuseppe

Glasses
Contributor

Actually the issue was something with the UF not restarting splunkd.   

 

This stanza does work now... 

[WinEventLog://Security]
disabled = 0
index=foo
whitelist = 4624

View solution in original post

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!