Getting Data In

Why isn't whitelisting for universal forwarder working in Splunk v6.6.3?

Communicator

I am using UF 6.6.3.0 on my domain controller and following is my inputs.conf. The whitelisting part is not working I am seeing all event codes.

[WinEventLog://Security]
disabled = 0
startfrom = newest
current
only = 1
evtresolvead_obj = 0
checkpointInterval = 5

only index events with these event IDs.

whitelist = 4723,4724,4740,4782
index = wineventlog
renderXml=false

0 Karma
1 Solution

Communicator

I figured this out here is my new inputs.conf.

IF YOU DONT TYPE blacklist it will not understand whitelist

[WinEventLog://Security]
disabled = 0
startfrom = newest
current
only = 1
evtresolvead_obj = 0
checkpointInterval = 5

only index events with these event IDs.

whitelist = 4723,4724,4740,4782

exclude these event IDs from being indexed.

blacklist = 1100-8191
index = wineventlog
renderXml=false

View solution in original post

0 Karma

Communicator

I figured this out here is my new inputs.conf.

IF YOU DONT TYPE blacklist it will not understand whitelist

[WinEventLog://Security]
disabled = 0
startfrom = newest
current
only = 1
evtresolvead_obj = 0
checkpointInterval = 5

only index events with these event IDs.

whitelist = 4723,4724,4740,4782

exclude these event IDs from being indexed.

blacklist = 1100-8191
index = wineventlog
renderXml=false

View solution in original post

0 Karma

Legend

Hi hrithiktej,
in whitelist you have to insert regexes (see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf ).
So in your case, if 4723,4724,4740,4782 are only numbers, try

whitelist = 4723|4724|4740|4782

if they are EventCodes, try

whitelist = EventCode\=4723|EventCode\=4724|EventCode\=4740|EventCode\=4782

(check if in your events EvenCode is written as EventCode or EventID)

Bye.
Giuseppe

0 Karma

Communicator

thanks for your reply .please check my resolution for this issue below

0 Karma