Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Whitelist/Blacklist Event ID using Forwarder Management

jonsantos
Engager
‎11-08-2018 01:53 PM

I am running Splunk Enterprise 7.1.1 and testing how the Forwarder Management uses the Serverclass.conf for Event ID whitelisting / blacklisting. I created a folder directory "winevt" in the $SPLUNK_HOME/etc/deployment-apps folder to enable the "winevt" App. I created a server class called "PROD" and moved 1 machine over to it. I then created a default directory with a "inputs.conf" file in this path $SPLUNK_HOME/etc/deployment-apps/winevt. I'd like to test whitelisting only event id 4625 from the windows security logs
so I modified the "inputs.conf" file which contains:

[WinEventLog:Security]
disabled=0

only index events with these event IDs.

whitelist = EventCode=4625
blacklist = EventCode=4624,4634,4648,4670,4672

On the universal forwarder, i do see that this file appears from C:\Program Files\SplunkUniversalForwarder\etc\apps\winevt\default. However, I do not see any security logs being forwarded to my indexer. Any ideas on what i'm doing wrong?

Tags (1)
0 Karma
Reply

vinod94
Contributor
‎01-26-2020 12:29 PM

Hi dyude @jonsantos ,
Can u try this,

On the deployment server create an inputs.conf file in the local diretory of winevt app( $SPLUNK_HOME/etc/deployment-apps/winevt/local/inputs.conf) and then try pushing the file.

[WinEventLog://Security]
disabled = 0
whitelist1 = EventCode=4625

An inputs.conf should get created in local directory of winevt app in the forwarder(C:\Program Files\SplunkUniversalForwarder\etc\apps\winevt\local\inputs.conf ). Check the permission of the inputs.conf file in forwarder.

Search the logs with the given index name(if any).

Let me know if this helps

0 Karma
Reply

sswigart
Engager
‎01-24-2020 09:35 AM

I have configured my \etc\system\local\inputs.conf as follows:

[WinEventLog://Security]
disabled = 0

whitelist = EventCode="4625"

The above whitelist only forwards event ID 4625 log events to my collector. I did not have to blacklist any other event IDs.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...