I am running Splunk Enterprise 7.1.1 and testing how the Forwarder Management uses the Serverclass.conf for Event ID whitelisting / blacklisting. I created a folder directory "winevt" in the $SPLUNK_HOME/etc/deployment-apps folder to enable the "winevt" App. I created a server class called "PROD" and moved 1 machine over to it. I then created a default directory with a "inputs.conf" file in this path $SPLUNK_HOME/etc/deployment-apps/winevt. I'd like to test whitelisting only event id 4625 from the windows security logs
so I modified the "inputs.conf" file which contains:
whitelist = EventCode=4625
blacklist = EventCode=4624,4634,4648,4670,4672
On the universal forwarder, i do see that this file appears from C:\Program Files\SplunkUniversalForwarder\etc\apps\winevt\default. However, I do not see any security logs being forwarded to my indexer. Any ideas on what i'm doing wrong?
Hi dyude @jonsantos ,
Can u try this,
On the deployment server create an inputs.conf file in the local diretory of winevt app( $SPLUNK_HOME/etc/deployment-apps/winevt/local/inputs.conf) and then try pushing the file.
[WinEventLog://Security] disabled = 0 whitelist1 = EventCode=4625
An inputs.conf should get created in local directory of winevt app in the forwarder(C:\Program Files\SplunkUniversalForwarder\etc\apps\winevt\local\inputs.conf ). Check the permission of the inputs.conf file in forwarder.
Search the logs with the given index name(if any).
Let me know if this helps
I have configured my \etc\system\local\inputs.conf as follows:
disabled = 0
whitelist = EventCode="4625"
The above whitelist only forwards event ID 4625 log events to my collector. I did not have to blacklist any other event IDs.