Getting Data In

Windows Event Log Inputs - Combining whitelists of EventCodes and SourceNames

adam_reber
Path Finder

I am trying to collect a whitelist of about 200 EventCodes in the Windows Security log, in addition to ANY event in the Security log that has a SourceName=MSSQL*. Here is what I have:

[WinEventLog://Security]
disabled = false
whitelist = 528,532,4624,4628...
whitelist1 = SourceName=%MSSQL.*%

However, now I only get MSSQL events, and it appears to ignore the first whitelist. How can I combine them so that I see any event matching, 528,532,4624,4628 regardless of SourceName, and any event with SourceName=MSSQL regardless of EventCode?

0 Karma

ltrand
Contributor

for whitelisting/blacklisting it needs to be formatted as follows:

whitelist.0 = first condition
whitelist.1 = second condition
whitelist.n = etc

0 Karma

adam_reber
Path Finder

For normal monitor inputs that is true, however the docs state otherwise for Windows Events.
http://docs.splunk.com/Documentation/Splunk/6.2.6/Admin/Inputsconf#inputs.conf.spec

whitelist = <list of eventIDs> | key=regex [key=regex]
blacklist = <list of eventIDs> | key=regex [key=regex]

whitelist1 = key=regex [key=regex]
whitelist2 = key=regex [key=regex]
whitelist3 = key=regex [key=regex]
blacklist1 = key=regex [key=regex]
blacklist2 = key=regex [key=regex]
blacklist3 = key=regex [key=regex]
0 Karma
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...