Re: Windows Event Codes Whitelist not working

knutsod · ‎06-26-2014

I am using a deployment server to push out a config to several universal forwarders (version 6.1.1) on windows, everything seems to be working fine but the whitelist part.
inputs.conf:
[WinEventLog:Security] disabled = 0 whitelist = 508,510,576
I have also tried the following whitelist configs:
whitelist1 = 508,510,576
whitelist = 508|510|576

Nothing seems to work, I am seeing all the event IDs coming through to my indexer.

yannK · ‎06-27-2014

Just to make sure, can you try with the 6.* input format with double slashs ?

[WinEventLog://Security] disabled = 0 whitelist = 508,510,576
http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/MonitorWindowsdata

knutsod · ‎06-27-2014

When the app gets deployed the // is added. So on the 6.1.1 universal forwarders it looks like that already.

knutsod · ‎06-27-2014

Also note that the universal forwarders are version 6.1.1 but the heavy forwarder they are sending data to is splunk version 5.0.4.

mendesjo · ‎02-12-2016

Same problem.. ever find a solution?

Windows Event Codes Whitelist not working

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation