Getting Data In

Windows Event Codes Whitelist not working

knutsod
Path Finder

I am using a deployment server to push out a config to several universal forwarders (version 6.1.1) on windows, everything seems to be working fine but the whitelist part.
inputs.conf:

[WinEventLog:Security]
disabled = 0
whitelist = 508,510,576

I have also tried the following whitelist configs:

whitelist1 = 508,510,576


whitelist = 508|510|576

Nothing seems to work, I am seeing all the event IDs coming through to my indexer.

0 Karma

yannK
Splunk Employee
Splunk Employee

Just to make sure, can you try with the 6.* input format with double slashs ?


[WinEventLog://Security]
disabled = 0
whitelist = 508,510,576

http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/MonitorWindowsdata

0 Karma

knutsod
Path Finder

When the app gets deployed the // is added. So on the 6.1.1 universal forwarders it looks like that already.

0 Karma

knutsod
Path Finder

Also note that the universal forwarders are version 6.1.1 but the heavy forwarder they are sending data to is splunk version 5.0.4.

0 Karma

mendesjo
Path Finder

Same problem.. ever find a solution?

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...