Similar EventIds been taken in splunk

agupta2607 · ‎08-06-2019

Hi All,

My inputs conf are as follows
[WinEventLog://Application]
disabled = 0
whitelist = EventCode="26|25|19"
whitelist1 = SourceName="DWMRCS"
index = wineventlog
evt_resolve_ad_obj = 0
checkpointInterval = 5

Result : Getting all events which include 26 ,25,19
i.e. 326,1026,1025,10025,259,258, and more.

I also tried
[WinEventLog://Application]
disabled = 0
whitelist = EventCode="^26$|^25$|^19$"
whitelist1 = SourceName="DWMRCS"
index = wineventlog
evt_resolve_ad_obj = 0
checkpointInterval = 5

But same results.

Thanks In Advance

diogofgm · ‎08-26-2019

You can use ranges of event ids in white and blacklist without the regex

Example:

[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
# only index events with these event IDs.
whitelist = 0-2000,3001-10000
# exclude these event IDs from being indexed.
blacklist = 2001-3000

More information from docs:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/MonitorWindowseventlogdata#Configuration_set...

------------
Hope I was able to help you. If so, some karma would be appreciated.

agupta2607 · ‎08-26-2019

Have someone faced the same issue?

jaime_ramirez · ‎08-06-2019

Have you tried the following?:

[WinEventLog://Application]
disabled = 0
whitelist = 26,25,19
whitelist1 = SourceName="DWMRCS"
index = wineventlog
evt_resolve_ad_obj = 0
checkpointInterval = 5

Hope it helps!!!

agupta2607 · ‎08-07-2019

yes, I have tries this but does not work.

With my config, I just need to get the regex to get the exact EventCode.

Similar EventIds been taken in splunk

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?