Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

WinEvent whitelist not working

SoknySplunk
Loves-to-Learn Lots
‎01-29-2020 06:54 PM

I'm trying to do whitelist on windows eventcode on my test environment before applying on production. after apply and reload, there no log activity come to splunk.

[WinEventLog://Security]
disabled = 0
whitelist1 = 4624,4625,4634,4688,4689,4720,4722-4726,4728,4729,4732,4756,4778,4779
whitelist2 = EventCode="5156" Message="(putty.exe)|(SecureCRT.exe)|(mstsc.exe)|(winscp.exe)"

Thanks in advance your help

0 Karma
Reply

vsai0718
Path Finder
‎02-12-2020 02:10 PM

Even we had the same issue, but once we had a monitor stanza for the Security.evtx path in inputs.conf. The logs started coming in for the events that you've whitelisted.

0 Karma
Reply

nickhills
Ultra Champion
‎01-30-2020 11:09 AM

Do you mean you have no WinEventLogs (at all) or just you dont see events for 5156?

If my comment helps, please give it a thumbs up!
0 Karma
Reply

jbrocks
Communicator
‎02-01-2020 09:51 AM

Not pretty sure how to understand this, but:


* Both numbered and unnumbered whitelists and blacklists support two formats:
* A comma-separated list of event IDs.
* A list of key=regular expression pairs.
* You cannot combine these formats. You can use either format on a specific
line.

Seems that you might need to transform your whitelist1 one to key=regex format ... but might also mean that you only can not combine list and key=regex format

0 Karma
Reply

SoknySplunk
Loves-to-Learn Lots
‎01-30-2020 05:43 PM

all events

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...