Hi,
I am trying to pull event logs from remote machines using universal forwarders. I have done the configuration in the inputs.conf files.
below is the configuration in my inputs.conf file.
[WinEventLog://Application]
disabled = 0
index = win_events
crcSalt = SOURCE
[WinEventLog://Security]
disabled = 0
index = win_events
crcSalt = SOURCE
[WinEventLog://System]
disabled = 0
index = win_events
crcSalt = SOURCE
[WinEventLog://Setup]
disabled = 0
index = win_events
crcSalt = SOURCE
Now I dont want all event codes from the logs. I would require only 4800 and 4801.
is there any way in which only the events related to the two events can be forwarded to an index.
Thanks
[WinEventLog://ForwardedEvents]
disabled = 0
checkpointInterval = 5
current_only = 0
start_from = oldest
index = wineventlog
# Filtering can be done with regex on the following field names : Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName, TaskCategory, Type, User
whitelist = EventCode=%^(400|1102|4610|4624|4625|4656|4662|4663|4697|4698|4723|4724|4728|4738|4756|4759|4765|4768|4769|4771|4776|4794|1|2|3|7|11|13|22)$%
blacklist01 = User=%^.*\$$%
blacklist02 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml = true
suppress_text = true
suppress_sourcename= true
suppress_keywords= true
suppress_task = true
suppress_opcode = true
Have a look at this: (inputs.conf setting on Universal Forwarder)
OR
https://www.hurricanelabs.com/splunk-tutorials/windows-event-log-filtering-design-in-splunk