I need assistance with whitelisting as I can’t make it work. I’m running the free trial version 9.0.0 of Splunk Enterprise. I have 1 Receiver (on a CentOS VM), and some Windows and CentOS systems (VM’s and physical devices) with the Universal Forwarder installed. I’m getting data in from all my systems. On the Windows systems I only need to see data from select Windows Security Log Events and would like to exclude all other log data/events. I’ve read Splunk’s documentation about whitelisting and I guess I just don’t understand what I’m reading. It doesn’t seem to be working as my license usage hasn’t decreased and/or I don’t know how to verify if it’s working.
I created an inputs.conf file in the following location: /etc/system/local/ on the Universal Forwarders and its content is:
[WinEventLog://Security]
whitelist=1100,1101,1102,4616,4624,4625,4634,4647,4648,4657,4704,4705,4719,4720,4722,4723,4724,4725,4726,4740,4767,4776,4777,4616
Is this correct?
Do I have to put the statement disabled = 0 or is it implied?
I haven’t configured anything through Splunk web, do I need to do that?
Where do I save the inputs.conf file? On the Receiver only, on the Universal Forwarders only, or on both?
Do I need to include all the statements from the default inputs.conf file in my new one?
Besides decreased license usage, is there a way to know if my whitelist is working?
Thank you for any and all help.
... View more