Re: whitelist windows event logs

splunkbeef · ‎01-03-2019

The whitelist is not working for windows event logs. Is there something I'm doing wrong?
I'm trying to exclude event 4625 from blacklist1 because it is logged as information.

[WinEventLog://Security]
disabled=0
whitelist = EventCode="4625"
blacklist1 = Type = "(Information)"
blacklist2 = Type = "(Security Audit Success)"
blacklist3 = EventCode="36888"

ssadh_splunk · ‎03-28-2019

If you are trying to exclude the event 4625, then you should not use whitelist.
Whitelist will include the following pattern.

Comments from documentation - https://docs.splunk.com/Documentation/Splunk/7.2.5/Admin/Inputsconf#Event_Log_whitelist_and_blacklis...
" * Example:
whitelist = EventCode=%^200$% User=%jrodman%
Include events only if they have EventCode 200 and relate to User jrodman
"
Just try to use Blacklist if you want to drop EventCode 4625.
Maybe try
blacklist1 = EventCode="4625"
or
blacklist1 = EventCode="4625" Type = "(Information)"

muralikoppula · ‎01-03-2019

Check the below answers:
https://answers.splunk.com/answers/235768/not-able-to-whitelist-windows-events-logs.html
https://answers.splunk.com/answers/152131/filter-windows-eventcode-using-blacklist-and-whitelist.htm...

splunkbeef · ‎01-04-2019

I looked at this documentation and others. Ran various btool options, I have no errors reported with btool check, and regex-validate. The debug output seems pretty clean also.

whitelist windows event logs

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation