Getting Data In

Whitelist/Blacklist Event ID using Forwarder Management

jonsantos
Engager

I am running Splunk Enterprise 7.1.1 and testing how the Forwarder Management uses the Serverclass.conf for Event ID whitelisting / blacklisting. I created a folder directory "winevt" in the $SPLUNK_HOME/etc/deployment-apps folder to enable the "winevt" App. I created a server class called "PROD" and moved 1 machine over to it. I then created a default directory with a "inputs.conf" file in this path $SPLUNK_HOME/etc/deployment-apps/winevt. I'd like to test whitelisting only event id 4625 from the windows security logs
so I modified the "inputs.conf" file which contains:

[WinEventLog:Security]
disabled=0

only index events with these event IDs.

whitelist = EventCode=4625
blacklist = EventCode=4624,4634,4648,4670,4672

On the universal forwarder, i do see that this file appears from C:\Program Files\SplunkUniversalForwarder\etc\apps\winevt\default. However, I do not see any security logs being forwarded to my indexer. Any ideas on what i'm doing wrong?

Tags (1)
0 Karma

vinod94
Contributor

Hi dyude @jonsantos ,
Can u try this,

On the deployment server create an inputs.conf file in the local diretory of winevt app( $SPLUNK_HOME/etc/deployment-apps/winevt/local/inputs.conf) and then try pushing the file.

[WinEventLog://Security]
disabled = 0
whitelist1 = EventCode=4625

An inputs.conf should get created in local directory of winevt app in the forwarder(C:\Program Files\SplunkUniversalForwarder\etc\apps\winevt\local\inputs.conf ). Check the permission of the inputs.conf file in forwarder.

Search the logs with the given index name(if any).

Let me know if this helps

0 Karma

sswigart
New Member

I have configured my \etc\system\local\inputs.conf as follows:

[WinEventLog://Security]
disabled = 0

whitelist = EventCode="4625"

The above whitelist only forwards event ID 4625 log events to my collector. I did not have to blacklist any other event IDs.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...