Getting Data In

Windows Event Log Blacklist not Blacklisting

New Member

I'm running Splunk 6.1 as my indexer. I have a 6.1 universal forwarder setup on a windows box and I'm trying to filter what event logs get sent back to the indexer.

I added this stanza to inputs.conf in C:\Program Files\SplunkUniversalForwarder\etc\system\local:

[WinEventLog:Security]
disabled = 0
blacklist = 5145,5156

I then restarted the forwarder service and unfortunately I am still seeing 5145s and 5156s in my indexer. Am I missing something? I looked at splunkd.log but it didn't provide any insight on the issue.

Josh

0 Karma

Communicator

Revered Legend

This blog is a good read. Other references

http://answers.splunk.com/answers/29218/filtering-windows-event-logs

http://answers.splunk.com/answers/136559/filtering-wineventlogsecurity

They may have some extra filters, so adjust per your need.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!