Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Whitelist/Blacklist Event ID using Forwarder Management

jonsantos
Engager
‎11-08-2018 01:53 PM

I am running Splunk Enterprise 7.1.1 and testing how the Forwarder Management uses the Serverclass.conf for Event ID whitelisting / blacklisting. I created a folder directory "winevt" in the $SPLUNK_HOME/etc/deployment-apps folder to enable the "winevt" App. I created a server class called "PROD" and moved 1 machine over to it. I then created a default directory with a "inputs.conf" file in this path $SPLUNK_HOME/etc/deployment-apps/winevt. I'd like to test whitelisting only event id 4625 from the windows security logs
so I modified the "inputs.conf" file which contains:

[WinEventLog:Security]
disabled=0

only index events with these event IDs.

whitelist = EventCode=4625
blacklist = EventCode=4624,4634,4648,4670,4672

On the universal forwarder, i do see that this file appears from C:\Program Files\SplunkUniversalForwarder\etc\apps\winevt\default. However, I do not see any security logs being forwarded to my indexer. Any ideas on what i'm doing wrong?

Tags (1)
0 Karma
Reply

vinod94
Contributor
‎01-26-2020 12:29 PM

Hi dyude @jonsantos ,
Can u try this,

On the deployment server create an inputs.conf file in the local diretory of winevt app( $SPLUNK_HOME/etc/deployment-apps/winevt/local/inputs.conf) and then try pushing the file.

[WinEventLog://Security]
disabled = 0
whitelist1 = EventCode=4625

An inputs.conf should get created in local directory of winevt app in the forwarder(C:\Program Files\SplunkUniversalForwarder\etc\apps\winevt\local\inputs.conf ). Check the permission of the inputs.conf file in forwarder.

Search the logs with the given index name(if any).

Let me know if this helps

0 Karma
Reply

sswigart
New Member
‎01-24-2020 09:35 AM

I have configured my \etc\system\local\inputs.conf as follows:

[WinEventLog://Security]
disabled = 0

whitelist = EventCode="4625"

The above whitelist only forwards event ID 4625 log events to my collector. I did not have to blacklist any other event IDs.

0 Karma
Reply
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...