product
service
- Simple Security Consulting [Consulting]
- Splunk SOAR Automation Assessment Service [Consulting]
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Splunk Premium Apps construction support service [implementation and construction support]
- Splunk Security Log Analysis Start Package [Original App/Service]
- Splunk × CrowdStrike Falcon Insight, Macnica Original App [Original App/Service]
- Government uniform standard compatible App [Original App/Service]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- SIEM Operation Monitoring Service [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
How to filter Windows event logs
- release date
- 2016-05-27
- last updated
- 2023-12-05
- version
- Splunk Enterprise 9.0.3
- Overview
- How to filter Windows event logs
- Reference information
-
- Monitor file system changes in Windows
https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/MonitorfilesystemchangesonWindows
- Monitor file system changes in Windows
- content
-
When forwarding Windows event logs to indexers using forwarders, it is possible to implement blacklist and whitelist filtering based on the contents of the Windows event logs.
For filtering, you can use the event ID or message of the Windows event log as a key.
In this FAQ, we mainly guide you on how to specify the target log by event ID.
*Notes on settings
- Specify keys such as event IDs and messages in regular expressions for Windows event logs that you want to forward/exclude using blacklist or whitelist.
- If you would like to use something other than the event ID as a filtering condition, please see the link below.
https://docs.splunk.com/Documentation/Splunk/9.0.3/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues - If you need to implement filtering on the indexer side, please refer to the contents of "* Note 1" described later. Filtering using blacklist and whitelist is not available.
How to exclude and forward specific event IDs
If you want to exclude Windows event logs with specific event IDs, please set blacklist in forwarder's inputs.conf.
Specific setting examples are shown below.
Example 1) I want to exclude the Windows event log with event ID "4672"
[WinEventLog://System]
blacklist = EventCode="4672"Example 2) I want to exclude Windows event logs with event IDs "4672", "4660", and "5065"
* Any of the following expressions are possible.
[WinEventLog://System]
blacklist = EventCode="4672|4660|5065"or
[WinEventLog://System]
blacklist1 = EventCode="4672"
blacklist2 = EventCode="4660"
blacklist3 = EventCode="5065"*Please specify within the range of blacklist1 to 9.
Example 3) I want to exclude events for users whose event ID is "4672" and whose account name starts with WIN.
[WinEventLog://System]
blacklist = EventCode="4672" Message="アカウント名:\t\tWIN.+"How to forward by specifying a specific event ID
If you want to forward Windows event logs with multiple specified event IDs, please set the whitelist in the forwarder's inputs.conf.
Example 4) I want to specify and transfer the Windows event log with the event ID "4672"
[WinEventLog://System]
whitelist = EventCode="4672"Example 5) I want to specify and transfer Windows event logs with event IDs "4672", "4660", and "5065"
* Any of the following expressions are possible.
[WinEventLog://System]
whitelist = EventCode="4672|4660|5065"or
[WinEventLog://System]
whitelist1 = EventCode="4672"
whitelist2 = EventCode="4660"
whitelist3 = EventCode="5065"*Please specify within the range of whitelist1 to 9.
Example 6) I want to forward the event of a user whose event ID is "4672" and whose account name starts with WIN.
[WinEventLog://System]
whitelist = EventCode="4672" Message="アカウント名:\t\tWIN.+"*Note 1
If you need to implement filtering on the indexer side, edit the indexer's props.conf and transforms.conf.
See the link below for more information on how to implement filtering in your indexers.
https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Whitelistorblacklistspecificincomingdata
*Note 2
If the same file is specified in blacklist and whitelist, blacklist settings take precedence.
Also, numbered blacklists and whitelists are only supported from 1 to 9. Please do not assign more numbers.
All files not specified in either blacklist or whitelist will be read.
Please see the link below for details.
https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Whitelistorblacklistspecificincomingdata
that's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Mon-Fri 8:45-17:30
