Getting Data In

WinEvent whitelist not working

Loves-to-Learn Lots

I'm trying to do whitelist on windows eventcode on my test environment before applying on production. after apply and reload, there no log activity come to splunk.

disabled = 0
whitelist1 = 4624,4625,4634,4688,4689,4720,4722-4726,4728,4729,4732,4756,4778,4779
whitelist2 = EventCode="5156" Message="(putty.exe)|(SecureCRT.exe)|(mstsc.exe)|(winscp.exe)"

Thanks in advance your help

0 Karma

Path Finder

Even we had the same issue, but once we had a monitor stanza for the Security.evtx path in inputs.conf. The logs started coming in for the events that you've whitelisted.

0 Karma

Ultra Champion

Do you mean you have no WinEventLogs (at all) or just you dont see events for 5156?

If my comment helps, please give it a thumbs up!
0 Karma


Not pretty sure how to understand this, but:

* Both numbered and unnumbered whitelists and blacklists support two formats:
* A comma-separated list of event IDs.
* A list of key=regular expression pairs.
* You cannot combine these formats. You can use either format on a specific

Seems that you might need to transform your whitelist1 one to key=regex format ... but might also mean that you only can not combine list and key=regex format

0 Karma

Loves-to-Learn Lots

all events

0 Karma
Get Updates on the Splunk Community!

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...