Windows Event Log Inputs - Combining whitelists of...

adam_reber · ‎11-04-2015

I am trying to collect a whitelist of about 200 EventCodes in the Windows Security log, in addition to ANY event in the Security log that has a SourceName=MSSQL*. Here is what I have:

[WinEventLog://Security]
disabled = false
whitelist = 528,532,4624,4628...
whitelist1 = SourceName=%MSSQL.*%

However, now I only get MSSQL events, and it appears to ignore the first whitelist. How can I combine them so that I see any event matching, 528,532,4624,4628 regardless of SourceName, and any event with SourceName=MSSQL regardless of EventCode?

ltrand · ‎11-04-2015

for whitelisting/blacklisting it needs to be formatted as follows:

whitelist.0 = first condition
whitelist.1 = second condition
whitelist.n = etc

adam_reber · ‎11-04-2015

For normal monitor inputs that is true, however the docs state otherwise for Windows Events.
http://docs.splunk.com/Documentation/Splunk/6.2.6/Admin/Inputsconf#inputs.conf.spec

whitelist = <list of eventIDs> | key=regex [key=regex]
blacklist = <list of eventIDs> | key=regex [key=regex]

whitelist1 = key=regex [key=regex]
whitelist2 = key=regex [key=regex]
whitelist3 = key=regex [key=regex]
blacklist1 = key=regex [key=regex]
blacklist2 = key=regex [key=regex]
blacklist3 = key=regex [key=regex]

Windows Event Log Inputs - Combining whitelists of EventCodes and SourceNames

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation