Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to manage UF blacklist and whitelist with DS?

SplunkExplorer
Contributor
‎07-13-2023 01:27 AM

Hi Splunkers (I know, you starts to see my post too much on this blog...sorry!), I'm a bit confused about the management of blacklist and whitelist mechanism, for universal forwarders.

As I wrote on others posts, we are managing a Splunk Cloud for a customer where we are completing, for Windows logs, the migration from WMI to UF. After installation completed, we want to manage those UF with a DS. Reading docs, I got that first step to say a Splunk host "Hey, you are a DS!" is to create the first app to be deployed on clients.
Here the example states about outputs.conf but, due we already linked UFs to our HF, we don't need that; we prefer to use the inputs.conf, cause we want manage blacklist and whitelist mechanism true DS.

The confusing thing for me is: is I want to say to UF "Hey, collect only a subset of Windows Event Code ", I saw here on community some posts where people get struck with whitelist and its wa suggested to them to us bot parameters: whitelist and blacklist. What I don't understand is why this and, so, the final configuration.

For Example, if I want to say on inputs.conf for Security logs "Hey, collect only 4624 and 4625" I will have something like that:

[WinEventLog://Security]
...
<other parameter>

...

whitelist = ?
blacklist=?

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dhruv
Explorer
‎08-02-2023 05:33 AM

Hey @SplunkExplorer ,

 

Yes. So if you want to collect only 4624 and 4625 event codes, Your inputs.conf will look like this : 

[WinEventLog://Security]

...
<other parameter>

...

whitelist = 4624/4625

 

This will ensure only these two eventcodes are ingested and nothing else.

Here is a doc to understand it better - https://docs.splunk.com/Documentation/Splunk/9.0.2/Admin/Inputsconf#Event_Log_filtering

https://docs.splunk.com/Documentation/Splunk/9.0.2/Admin/Inputsconf#Event_Log_allow_list_and_deny_li...

 

View solution in original post

Reply
Solved! Jump to solution
Solution

dhruv
Explorer
‎08-02-2023 05:33 AM

Hey @SplunkExplorer ,

 

Yes. So if you want to collect only 4624 and 4625 event codes, Your inputs.conf will look like this : 

[WinEventLog://Security]

...
<other parameter>

...

whitelist = 4624/4625

 

This will ensure only these two eventcodes are ingested and nothing else.

Here is a doc to understand it better - https://docs.splunk.com/Documentation/Splunk/9.0.2/Admin/Inputsconf#Event_Log_filtering

https://docs.splunk.com/Documentation/Splunk/9.0.2/Admin/Inputsconf#Event_Log_allow_list_and_deny_li...

 

Reply
Solved! Jump to solution

dhruv
Explorer
‎08-02-2023 10:14 PM

Hey @SplunkExplorer ,

Small correction. The eventcodes need to be comma separated. Thank you for accepting the answer.

[WinEventLog://Security]

...
<other parameter>

...

whitelist = 4624,4625

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...