I'm trying to do whitelist on windows eventcode on my test environment before applying on production. after apply and reload, there no log activity come to splunk.
[WinEventLog://Security] disabled = 0 whitelist1 = 4624,4625,4634,4688,4689,4720,4722-4726,4728,4729,4732,4756,4778,4779 whitelist2 = EventCode="5156" Message="(putty.exe)|(SecureCRT.exe)|(mstsc.exe)|(winscp.exe)"
Thanks in advance your help
Even we had the same issue, but once we had a monitor stanza for the Security.evtx path in inputs.conf. The logs started coming in for the events that you've whitelisted.
Do you mean you have no WinEventLogs (at all) or just you dont see events for 5156?
Not pretty sure how to understand this, but:
* Both numbered and unnumbered whitelists and blacklists support two formats:
* A comma-separated list of event IDs.
* A list of key=regular expression pairs.
* You cannot combine these formats. You can use either format on a specific
Seems that you might need to transform your whitelist1 one to key=regex format ... but might also mean that you only can not combine list and key=regex format