Windows Event Log Inputs - Combining whitelists of...

adam_reber · ‎11-04-2015

I am trying to collect a whitelist of about 200 EventCodes in the Windows Security log, in addition to ANY event in the Security log that has a SourceName=MSSQL*. Here is what I have:

[WinEventLog://Security]
disabled = false
whitelist = 528,532,4624,4628...
whitelist1 = SourceName=%MSSQL.*%

However, now I only get MSSQL events, and it appears to ignore the first whitelist. How can I combine them so that I see any event matching, 528,532,4624,4628 regardless of SourceName, and any event with SourceName=MSSQL regardless of EventCode?

ltrand · ‎11-04-2015

for whitelisting/blacklisting it needs to be formatted as follows:

whitelist.0 = first condition
whitelist.1 = second condition
whitelist.n = etc

adam_reber · ‎11-04-2015

For normal monitor inputs that is true, however the docs state otherwise for Windows Events.
http://docs.splunk.com/Documentation/Splunk/6.2.6/Admin/Inputsconf#inputs.conf.spec

whitelist = <list of eventIDs> | key=regex [key=regex]
blacklist = <list of eventIDs> | key=regex [key=regex]

whitelist1 = key=regex [key=regex]
whitelist2 = key=regex [key=regex]
whitelist3 = key=regex [key=regex]
blacklist1 = key=regex [key=regex]
blacklist2 = key=regex [key=regex]
blacklist3 = key=regex [key=regex]

Windows Event Log Inputs - Combining whitelists of EventCodes and SourceNames

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases