- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Cloud Platform
- :
- Re: Manage UF blacklist and whitelist with DS
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Splunkers (I know, you starts to see my post too much on this blog...sorry!), I'm a bit confused about the management of blacklist and whitelist mechanism, for universal forwarders.
As I wrote on others posts, we are managing a Splunk Cloud for a customer where we are completing, for Windows logs, the migration from WMI to UF. After installation completed, we want to manage those UF with a DS. Reading docs, I got that first step to say a Splunk host "Hey, you are a DS!" is to create the first app to be deployed on clients.
Here the example states about outputs.conf but, due we already linked UFs to our HF, we don't need that; we prefer to use the inputs.conf, cause we want manage blacklist and whitelist mechanism true DS.
The confusing thing for me is: is I want to say to UF "Hey, collect only a subset of Windows Event Code ", I saw here on community some posts where people get struck with whitelist and its wa suggested to them to us bot parameters: whitelist and blacklist. What I don't understand is why this and, so, the final configuration.
For Example, if I want to say on inputs.conf for Security logs "Hey, collect only 4624 and 4625" I will have something like that:
[WinEventLog://Security]
...
<other parameter>
...
whitelist = ?
blacklist=?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @SplunkExplorer ,
Yes. So if you want to collect only 4624 and 4625 event codes, Your inputs.conf will look like this :
[WinEventLog://Security]
...
<other parameter>
...
whitelist = 4624/4625
This will ensure only these two eventcodes are ingested and nothing else.
Here is a doc to understand it better - https://docs.splunk.com/Documentation/Splunk/9.0.2/Admin/Inputsconf#Event_Log_filtering
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @SplunkExplorer ,
Yes. So if you want to collect only 4624 and 4625 event codes, Your inputs.conf will look like this :
[WinEventLog://Security]
...
<other parameter>
...
whitelist = 4624/4625
This will ensure only these two eventcodes are ingested and nothing else.
Here is a doc to understand it better - https://docs.splunk.com/Documentation/Splunk/9.0.2/Admin/Inputsconf#Event_Log_filtering
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @SplunkExplorer ,
Small correction. The eventcodes need to be comma separated. Thank you for accepting the answer.
[WinEventLog://Security]
...
<other parameter>
...
whitelist = 4624,4625
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
