Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Whitelist/Blacklist Event ID using Forwarder Management

jonsantos
Engager
‎11-08-2018 01:53 PM

I am running Splunk Enterprise 7.1.1 and testing how the Forwarder Management uses the Serverclass.conf for Event ID whitelisting / blacklisting. I created a folder directory "winevt" in the $SPLUNK_HOME/etc/deployment-apps folder to enable the "winevt" App. I created a server class called "PROD" and moved 1 machine over to it. I then created a default directory with a "inputs.conf" file in this path $SPLUNK_HOME/etc/deployment-apps/winevt. I'd like to test whitelisting only event id 4625 from the windows security logs
so I modified the "inputs.conf" file which contains:

[WinEventLog:Security]
disabled=0

only index events with these event IDs.

whitelist = EventCode=4625
blacklist = EventCode=4624,4634,4648,4670,4672

On the universal forwarder, i do see that this file appears from C:\Program Files\SplunkUniversalForwarder\etc\apps\winevt\default. However, I do not see any security logs being forwarded to my indexer. Any ideas on what i'm doing wrong?

Tags (1)
0 Karma
Reply

vinod94
Contributor
‎01-26-2020 12:29 PM

Hi dyude @jonsantos ,
Can u try this,

On the deployment server create an inputs.conf file in the local diretory of winevt app( $SPLUNK_HOME/etc/deployment-apps/winevt/local/inputs.conf) and then try pushing the file.

[WinEventLog://Security]
disabled = 0
whitelist1 = EventCode=4625

An inputs.conf should get created in local directory of winevt app in the forwarder(C:\Program Files\SplunkUniversalForwarder\etc\apps\winevt\local\inputs.conf ). Check the permission of the inputs.conf file in forwarder.

Search the logs with the given index name(if any).

Let me know if this helps

0 Karma
Reply

sswigart
Engager
‎01-24-2020 09:35 AM

I have configured my \etc\system\local\inputs.conf as follows:

[WinEventLog://Security]
disabled = 0

whitelist = EventCode="4625"

The above whitelist only forwards event ID 4625 log events to my collector. I did not have to blacklist any other event IDs.

0 Karma
Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...