Getting Data In

editing input.conf is not reflects to system

manyaeons
New Member

hi, i just try to whitelist security log as below but it is not working
in fact non of these attribute reflects to system
i tried change to disabled=1 but logs keeps coming (even after restarted)

ver: 6.1

[WinEventLog://Security]
disabled = 0
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = 4663
Tags (2)
0 Karma

gyslainlatsa
Motivator

hi manyaeons ,
try to follow these instructions

input.conf copy the file to the default folderand go stick it in thelocal folder and then make the change to put in local disabled=1
splunk then restarts. during startup, splunk will first consult the local file before the default folder and take into account the change.
I hope it will work

please forgive my english.

0 Karma

manyaeons
New Member

note:using wmi not forwarder
and yes it is inputs.conf

0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...