Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I apply an inputs.conf WinEventLog stanza by regex or IP range with a whitelist?

wyodoc1
Explorer
‎10-01-2015 02:02 PM

Can we, because of Windows SID translations needing to be pointed to specific DomainController based on IP, point our DMZ Universal Forwarders to DC in the DMZ (IP=205.x.x.x) and point anything else to our internal DC? I know you can whitelist files and host using REGEX, but what about IP? or with REGEX of IP? I would rather not have to adjust or keep a list of what servers are in DMZ and update list as they are added and removed.

[WinEventLog://Security]
whitelist=205.*
evt_dc_name = app-ldap-servers.domainname.com

[WinEventLog://Security]
blacklist=205.*
evt_dc_name = internal-app-ldap-servers.domainname.com
0 Karma
Reply

woodcock
Esteemed Legend
‎10-06-2015 07:05 AM

No, you cannot; whenever you duplicate any WinEventLog stanza, the last one has precedence and all earlier stanzas are completely ignored. You have 2 options: you can stand up 2 instances of Splunk on the forwarder and configure each one with one of the stanzas (this is really not a big deal and works great) or you can carve out one set of events and send them to a logfile using Windows tools and Splunk that logfile. This answer discusses the latter solution:

http://answers.splunk.com/answers/314099/for-wineventlogsecurity-how-to-use-renderxmltrue-f-1.html

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...