Windows Event Codes Whitelist not working

knutsod · ‎06-26-2014

I am using a deployment server to push out a config to several universal forwarders (version 6.1.1) on windows, everything seems to be working fine but the whitelist part.
inputs.conf:
[WinEventLog:Security] disabled = 0 whitelist = 508,510,576
I have also tried the following whitelist configs:
whitelist1 = 508,510,576
whitelist = 508|510|576

Nothing seems to work, I am seeing all the event IDs coming through to my indexer.

yannK · ‎06-27-2014

Just to make sure, can you try with the 6.* input format with double slashs ?

[WinEventLog://Security] disabled = 0 whitelist = 508,510,576
http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/MonitorWindowsdata

knutsod · ‎06-27-2014

When the app gets deployed the // is added. So on the 6.1.1 universal forwarders it looks like that already.

knutsod · ‎06-27-2014

Also note that the universal forwarders are version 6.1.1 but the heavy forwarder they are sending data to is splunk version 5.0.4.

mendesjo · ‎02-12-2016

Same problem.. ever find a solution?

Windows Event Codes Whitelist not working

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)