The whitelist is not working for windows event logs. Is there something I'm doing wrong?
I'm trying to exclude event 4625 from blacklist1 because it is logged as information.
[WinEventLog://Security]
disabled=0
whitelist = EventCode="4625"
blacklist1 = Type = "(Information)"
blacklist2 = Type = "(Security Audit Success)"
blacklist3 = EventCode="36888"
If you are trying to exclude the event 4625, then you should not use whitelist.
Whitelist will include the following pattern.
Comments from documentation - https://docs.splunk.com/Documentation/Splunk/7.2.5/Admin/Inputsconf#Event_Log_whitelist_and_blacklis...
" * Example:
whitelist = EventCode=%^200$% User=%jrodman%
Include events only if they have EventCode 200 and relate to User jrodman
"
Just try to use Blacklist if you want to drop EventCode 4625.
Maybe try
blacklist1 = EventCode="4625"
or
blacklist1 = EventCode="4625" Type = "(Information)"
I looked at this documentation and others. Ran various btool options, I have no errors reported with btool check, and regex-validate. The debug output seems pretty clean also.