hi, i just try to whitelist security log as below but it is not working
in fact non of these attribute reflects to system
i tried change to disabled=1 but logs keeps coming (even after restarted)
ver: 6.1
[WinEventLog://Security]
disabled = 0
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = 4663
hi manyaeons ,
try to follow these instructions
input.conf
copy the file to the default folder
and go stick it in thelocal folder
and then make the change to put in local disabled=1
splunk then restarts. during startup, splunk will first consult the local file before the default folder and take into account the change.
I hope it will work
please forgive my english.
note:using wmi not forwarder
and yes it is inputs.conf