Graylog whitelist\blaclist?

Path Finder

I am using Graylog (winlogbeats) to forward windows events to a Linux based UF. I have a props.conf on my indexer and SH to set field alias since Graylog forwards fields with a winlogbeats preface. I have 2 questions:

  1. if I want to whitelist\blacklist on the UF would I look for the fields with windlogbeats?
    so instead of this: blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
    would I replace it with this: blacklist1 = Winlogbeat_EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"

  2. should I or should I not put the props.conf on the linux UF?
    it looks like this:
    TIME_FORMAT=%Y-%b-%d %H:%M:%S
    TZ = UTC
    FIELDALIAS-winlogbeat_as_host = winlogbeat_fields_collector_node_id as host
    FIELDALIAS-winlogbeat_as_eventid = winlogbeat_event_id as EventCode
    FIELDALIAS-winlogbeat_as_processname = winlogbeat_event_data_ProcessName as Process_Name
    FIELDALIAS-winlogbeat_as_logonid = winlogbeat_event_data_SubjectLogonId as Logon_ID
    FIELDALIAS-winlogbeat_as_user = winlogbeat_user_data_SubjectDomainName as user
    FIELDALIAS-winlogbeat_as_src_user = winlogbeat_user_data_subjectDomainName as src_user
    FIELDALIAS-winlogbeat_as_action = winlogbeat_keywords as action
    FIELDALIAS-winlogbeat_as_security_id = winlogbeat_user_data_SubjectUserSid as Security_ID
    FIELDALIAS-winlogbeat_as_account_domain = winlogbeat_user_data_SubjectDomainName as account_domain


Tags (1)
0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...