I am using a deployment server to push out a config to several universal forwarders (version 6.1.1) on windows, everything seems to be working fine but the whitelist part.
inputs.conf:
[WinEventLog:Security]
disabled = 0
whitelist = 508,510,576
I have also tried the following whitelist configs:
whitelist1 = 508,510,576
whitelist = 508|510|576
Nothing seems to work, I am seeing all the event IDs coming through to my indexer.
Just to make sure, can you try with the 6.* input format with double slashs ?
[WinEventLog://Security]
disabled = 0
whitelist = 508,510,576
http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/MonitorWindowsdata
When the app gets deployed the // is added. So on the 6.1.1 universal forwarders it looks like that already.
Also note that the universal forwarders are version 6.1.1 but the heavy forwarder they are sending data to is splunk version 5.0.4.
Same problem.. ever find a solution?