Re: Windows Event Codes Whitelist not working

knutsod · ‎06-26-2014

I am using a deployment server to push out a config to several universal forwarders (version 6.1.1) on windows, everything seems to be working fine but the whitelist part.
inputs.conf:
[WinEventLog:Security] disabled = 0 whitelist = 508,510,576
I have also tried the following whitelist configs:
whitelist1 = 508,510,576
whitelist = 508|510|576

Nothing seems to work, I am seeing all the event IDs coming through to my indexer.

yannK · ‎06-27-2014

Just to make sure, can you try with the 6.* input format with double slashs ?

[WinEventLog://Security] disabled = 0 whitelist = 508,510,576
http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/MonitorWindowsdata

knutsod · ‎06-27-2014

When the app gets deployed the // is added. So on the 6.1.1 universal forwarders it looks like that already.

knutsod · ‎06-27-2014

Also note that the universal forwarders are version 6.1.1 but the heavy forwarder they are sending data to is splunk version 5.0.4.

mendesjo · ‎02-12-2016

Same problem.. ever find a solution?

Windows Event Codes Whitelist not working

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation