Yes , I restarted the whole splunk server

Other silly question... what versión of universal forwarder are you running?

If you still have problems use my method 🙂

Hi , the version is 6.3.2

And your stanza is

[WinEventLog:Security] OR [WinEventLog://Security]

Becouse the first one is incorrect

my stanza is [WinEventLog:Security] , i will correct it now and check, update soon.

btw , only need to edit in /opt/splunk/etc/system/local/inputs.conf or also in win app - /opt/splunk/etc/apps/splunk_app_windows_infrastructure and in /opt/splunk/etc/apps/Splunk_TA_windows ?

system local configuration persist over ALL

Ok will correct it now and update you..

i followed the blog, i don't have group policy so i configured this:

[WinEventLog:Security]
disabled = 0
current_only=1
blacklist1=EventCode="4726"
but still getting the events in splunk
any ideas?

Silly question – have you restarted the forwarder?

Tnx for quick reply,appreciate it!
i configured the following config in inputs.conf :

host = mysplunk
[splunktcp://9997]
[WinEventLog:System]
disabled = 0

only index events with these event IDs.

whitelist = 7036-7037

exclude these event IDs from being indexed.

blacklist = 0-7035,7037-10000
[WinEventLog:Security]
disabled = 0
whitelist = 0-1
blacklist = 4725-4800
I configured it in /opt/splunk/etc/system/local/inputs.conf , restarted splunk and still get unrelevant events
i copied to the /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf and to /opt/splunk/etc/apps/splunk_app_windows_infrastructure/local/inputs.conf , restarted splunk and still the same
Do i have to edit props.conf and transforms.conf ?
Tnx in advance

The above looks good. try running this command

   ./splunk cmd btool inputs list --debug

and checking the output to see if the inputs arent being overruled by another blacklist setting in conf files in other splunk apps.

Hi
Here is the output fragment of the debug command,
host = splunk-102
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf index = w indows
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf maxSocket s = 0
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf maxThread s = 0
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf port = 80 88
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = po rt
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf useDeploy mentServer = 0
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinPrint Mon://printer]
/opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf baseline = 1
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf dedicated IoThreads = 2
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf enableSSL = 1
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf evt_dc_na me =
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf evt_dns_n ame =
host = splunk-102
How can i define if the input arent being overruled?

Tnx