Not having any luck testing or finding the answer in documentation so hopefully someone can confirm.
I want to collect a single EventCode=4624 from a Windows Server with a UF (v 8.0.6).
I am using an inputs.conf stanza like this>>>
#2021.4.19[WinEventLog://Security]disabled = 0index=foowhitelist1 = EventCode=4624
I am still collecting all wineventlog security EventCodes.
Actually the issue was something with the UF not restarting splunkd.
This stanza does work now...
[WinEventLog://Security]disabled = 0index=foowhitelist = 4624
View solution in original post
Even tried >>>
whitelist = 4624
no luck 😞
whitelist and blacklist require regexes, so, please, try:
whitelist1 = EventCode\=4624
then, are your logs in json or normal format? if in json the regex is different.