I am trying to collect a whitelist of about 200 EventCodes in the Windows Security log, in addition to ANY event in the Security log that has a SourceName=MSSQL*. Here is what I have:
[WinEventLog://Security]
disabled = false
whitelist = 528,532,4624,4628...
whitelist1 = SourceName=%MSSQL.*%
However, now I only get MSSQL events, and it appears to ignore the first whitelist. How can I combine them so that I see any event matching, 528,532,4624,4628 regardless of SourceName, and any event with SourceName=MSSQL regardless of EventCode?
for whitelisting/blacklisting it needs to be formatted as follows:
whitelist.0 = first condition
whitelist.1 = second condition
whitelist.n = etc
For normal monitor inputs that is true, however the docs state otherwise for Windows Events.
http://docs.splunk.com/Documentation/Splunk/6.2.6/Admin/Inputsconf#inputs.conf.spec
whitelist = <list of eventIDs> | key=regex [key=regex]
blacklist = <list of eventIDs> | key=regex [key=regex]
whitelist1 = key=regex [key=regex]
whitelist2 = key=regex [key=regex]
whitelist3 = key=regex [key=regex]
blacklist1 = key=regex [key=regex]
blacklist2 = key=regex [key=regex]
blacklist3 = key=regex [key=regex]