I had been using an inputs.conf whitelist to filter event logs by event code but now I would like to send all security logs to splunk from the forwarder. Is simply removing the whitelist entry and restarting the splunk forwarder service enough to do this? i tried this, and it hasn't started sending the data yet, it seems...
before:
[default]
host = <Computer’s Name>
index = <index name>
[WinEventLog://Security]
disabled = 0
whitelist=528,538,540,551,4624,4634,4647,4648,4800,4801
index = <index name>
after:
[default]
host = <Computer’s Name>
index = <index name>
[WinEventLog://Security]
disabled = 0
index = <index name>
... View more