Splunk Search

No Event Code 1024 appear

g_paternicola
Path Finder

Hello everyone,

I have the following inputs.conf file which is actually working for the first 2 stanza, but not for the third one. could someone please tell me why? I do not get any events from them.

[WinEventLog://Security]
disabled = 0
renderXml = 1
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
sourcetype = XmlWinEventLog
index = ad
whitelist1=4624,4769,4728,4732,4756,4761,4751,4746

# This stanza will send all events for the event_code 21
[WinEventLog://Microsoft-Windows-TerminalServices-LocalSessionManager/Operational]
disabled = 0
renderXml = 1
sourcetype = XmlWinEventLog
index = ad
source="XmlWinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
whitelist2=21

# This stanza will send all events for the event_code 1024
[WinEventLog://Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational]
disabled = 0
renderXml = 1
sourcetype = XmlWinEventLog
index = ad
source="XmlWinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
whitelist3=1024

 

Thank you very much for helping me!

 

Labels (1)
0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>