Windows Event Codes Whitelist not working

knutsod · ‎06-26-2014

I am using a deployment server to push out a config to several universal forwarders (version 6.1.1) on windows, everything seems to be working fine but the whitelist part.
inputs.conf:
[WinEventLog:Security] disabled = 0 whitelist = 508,510,576
I have also tried the following whitelist configs:
whitelist1 = 508,510,576
whitelist = 508|510|576

Nothing seems to work, I am seeing all the event IDs coming through to my indexer.

yannK · ‎06-27-2014

Just to make sure, can you try with the 6.* input format with double slashs ?

[WinEventLog://Security] disabled = 0 whitelist = 508,510,576
http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/MonitorWindowsdata

knutsod · ‎06-27-2014

When the app gets deployed the // is added. So on the 6.1.1 universal forwarders it looks like that already.

knutsod · ‎06-27-2014

Also note that the universal forwarders are version 6.1.1 but the heavy forwarder they are sending data to is splunk version 5.0.4.

mendesjo · ‎02-12-2016

Same problem.. ever find a solution?

Windows Event Codes Whitelist not working

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

Windows Event Codes Whitelist not working

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...