Hi -
Not having any luck testing or finding the answer in documentation so hopefully someone can confirm.
I want to collect a single EventCode=4624 from a Windows Server with a UF (v 8.0.6).
I am using an inputs.conf stanza like this>>>
#2021.4.19
[WinEventLog://Security]
disabled = 0
index=foo
whitelist1 = EventCode=4624
I am still collecting all wineventlog security EventCodes.
Any ideas?
TY!
Actually the issue was something with the UF not restarting splunkd.
This stanza does work now...
[WinEventLog://Security]
disabled = 0
index=foo
whitelist = 4624
Even tried >>>
whitelist = 4624
no luck 😞
Hi @Glasses,
whitelist and blacklist require regexes, so, please, try:
whitelist1 = EventCode\=4624
then, are your logs in json or normal format? if in json the regex is different.
Ciao.
Giuseppe
Actually the issue was something with the UF not restarting splunkd.
This stanza does work now...
[WinEventLog://Security]
disabled = 0
index=foo
whitelist = 4624