Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows Event Log Blacklist not Blacklisting

jadams7325
New Member
‎08-05-2014 01:58 PM

I'm running Splunk 6.1 as my indexer. I have a 6.1 universal forwarder setup on a windows box and I'm trying to filter what event logs get sent back to the indexer.

I added this stanza to inputs.conf in C:\Program Files\SplunkUniversalForwarder\etc\system\local:

[WinEventLog:Security]
disabled = 0
blacklist = 5145,5156

I then restarted the forwarder service and unfortunately I am still seeing 5145s and 5156s in my indexer. Am I missing something? I looked at splunkd.log but it didn't provide any insight on the issue.

Josh

0 Karma
Reply

Jeff_Lightly_Sp
Communicator
‎08-05-2014 02:05 PM

Take a look at this excellent blog post:

http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

Reply

somesoni2
Revered Legend
‎08-05-2014 02:21 PM

This blog is a good read. Other references

http://answers.splunk.com/answers/29218/filtering-windows-event-logs

http://answers.splunk.com/answers/136559/filtering-wineventlogsecurity

They may have some extra filters, so adjust per your need.

Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Index This | I am a number but I am countless. What am I?

January 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  Happy New Year! We’re ...

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

PLATFORM TECH TALKS What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience Thursday, February 27, ...