WinEvent whitelist not working

SoknySplunk · ‎01-29-2020

I'm trying to do whitelist on windows eventcode on my test environment before applying on production. after apply and reload, there no log activity come to splunk.

[WinEventLog://Security]
disabled = 0
whitelist1 = 4624,4625,4634,4688,4689,4720,4722-4726,4728,4729,4732,4756,4778,4779
whitelist2 = EventCode="5156" Message="(putty.exe)|(SecureCRT.exe)|(mstsc.exe)|(winscp.exe)"

Thanks in advance your help

vsai0718 · ‎02-12-2020

Even we had the same issue, but once we had a monitor stanza for the Security.evtx path in inputs.conf. The logs started coming in for the events that you've whitelisted.

nickhills · ‎01-30-2020

Do you mean you have no WinEventLogs (at all) or just you dont see events for 5156?

If my comment helps, please give it a thumbs up!

jbrocks · ‎02-01-2020

Not pretty sure how to understand this, but:

* Both numbered and unnumbered whitelists and blacklists support two formats: * A comma-separated list of event IDs. * A list of key=regular expression pairs. * You cannot combine these formats. You can use either format on a specific line.

Seems that you might need to transform your whitelist1 one to key=regex format ... but might also mean that you only can not combine list and key=regex format

SoknySplunk · ‎01-30-2020

all events

WinEvent whitelist not working

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?