- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- inputs.conf Windows event whitelist
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inputs.conf Windows event whitelist
Hi guys,
it seems there's something wrong with my inputs.conf whitelist configuration :
[WinEventLog://System]
index = winsecevents
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml = true
whitelist = EventCode="^104$" TaskCategory="^Log\sclear"
I tried of course with :
whitelist = EventCode="104" TaskCategory="Log clear"
or with the "message" conf like this one :
whitelist = EventCode="104" Message=".+log\sfile\swas\scleared."
But nothing has changed.
Do you have some ideas?
Thanks a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok,I understood why it doesn't works.
I have renderXml=true and if I check the windows event,there's not any field i was looking for.
I must change the logic,parsing the raw xml and looking through it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
from https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
whitelist = <regular expression>
* If set, files from this input are monitored only if their path matches the
specified regex.
* Takes precedence over the deprecated '_whitelist' setting, which functions
the same way.
* Default: Not set.
So check the regex with your logs escaping all special chars (as = or ") , it should be something like this:
whitelist = EventCode\=104.*TaskCategory\=Log\sclear
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ciao Giuseppe,
thanks for your comment.
I think i'm missing something...just to be clear,I'm trying to filter windows event logs and not custom.
In another stanza I have these settings that are running correctly :
[WinEventLog://Security]
index = winsecevents
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662|566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="4634|4624" Message="Logon Type:\s+3"
blacklist3 = EventCode="4648|4658" Message="Process Name:\s+C:\Program\sFiles\Microsoft\sAzure\sAD\sSync\Bin\miiserver.exe"
renderXml=true
The difference is just the keyword "blacklist" instead of "whitelist" but this one :
whitelist = EventCode="104" TaskCategory=".*Log\sclear"
or this :
whitelist = EventCode="104" Message=".+\slog\sfile\swas\scleared."
looks totally correct to me.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whitelist = EventCode=%^104$%
Try this edit and restart the Splunk, I hope this will help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
props.conf
[WinEventLog://System]
TRANSFORMS-FilterEvent = FilterEvent
transforms.conf
[FilterEvent]
REGEX = EventCode="^104$"
DEST_KEY = queue
FORMAT = nullQueue
Try this as well!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,the issue is related to the second part of the filter : taskcategory/message (they are on the same line but the post has been modified.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
