Getting Data In

WinEvent whitelist not working

Loves-to-Learn Lots

I'm trying to do whitelist on windows eventcode on my test environment before applying on production. after apply and reload, there no log activity come to splunk.

disabled = 0
whitelist1 = 4624,4625,4634,4688,4689,4720,4722-4726,4728,4729,4732,4756,4778,4779
whitelist2 = EventCode="5156" Message="(putty.exe)|(SecureCRT.exe)|(mstsc.exe)|(winscp.exe)"

Thanks in advance your help

0 Karma

Path Finder

Even we had the same issue, but once we had a monitor stanza for the Security.evtx path in inputs.conf. The logs started coming in for the events that you've whitelisted.

0 Karma

Ultra Champion

Do you mean you have no WinEventLogs (at all) or just you dont see events for 5156?

If my comment helps, please give it a thumbs up!
0 Karma


Not pretty sure how to understand this, but:

* Both numbered and unnumbered whitelists and blacklists support two formats:
* A comma-separated list of event IDs.
* A list of key=regular expression pairs.
* You cannot combine these formats. You can use either format on a specific

Seems that you might need to transform your whitelist1 one to key=regex format ... but might also mean that you only can not combine list and key=regex format

0 Karma

Loves-to-Learn Lots

all events

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...