When forwarding Windows event logs to indexers using forwarders, it is possible to implement blacklist and whitelist filtering based on the contents of the Windows event logs.

For filtering, you can use the event ID or message of the Windows event log as a key.

In this FAQ, we mainly guide you on how to specify the target log by event ID.

*Notes on settings

• Specify keys such as event IDs and messages in regular expressions for Windows event logs that you want to forward/exclude using blacklist or whitelist.
• If you would like to use something other than the event ID as a filtering condition, please see the link below.
  https://docs.splunk.com/Documentation/Splunk/9.0.3/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues
• If you need to implement filtering on the indexer side, please refer to the contents of "* Note 1" described later. Filtering using blacklist and whitelist is not available.

How to exclude and forward specific event IDs

If you want to exclude Windows event logs with specific event IDs, please set blacklist in forwarder's inputs.conf.

Specific setting examples are shown below.

Example 1) I want to exclude the Windows event log with event ID "4672"

[WinEventLog://System]
blacklist = EventCode="4672"

Example 2) I want to exclude Windows event logs with event IDs "4672", "4660", and "5065"

* Any of the following expressions are possible.

[WinEventLog://System]
blacklist = EventCode="4672|4660|5065"

or

[WinEventLog://System]
blacklist1 = EventCode="4672"
blacklist2 = EventCode="4660"
blacklist3 = EventCode="5065"

*Please specify within the range of blacklist1 to 9.

Example 3) I want to exclude events for users whose event ID is "4672" and whose account name starts with WIN.

[WinEventLog://System]
blacklist = EventCode="4672" Message="アカウント名:\t\tWIN.+"

How to forward by specifying a specific event ID

If you want to forward Windows event logs with multiple specified event IDs, please set the whitelist in the forwarder's inputs.conf.

Example 4) I want to specify and transfer the Windows event log with the event ID "4672"

[WinEventLog://System]
whitelist = EventCode="4672"

Example 5) I want to specify and transfer Windows event logs with event IDs "4672", "4660", and "5065"

* Any of the following expressions are possible.

[WinEventLog://System]
whitelist = EventCode="4672|4660|5065"

or

[WinEventLog://System]
whitelist1 = EventCode="4672"
whitelist2 = EventCode="4660"
whitelist3 = EventCode="5065"

*Please specify within the range of whitelist1 to 9.

Example 6) I want to forward the event of a user whose event ID is "4672" and whose account name starts with WIN.

[WinEventLog://System]
whitelist = EventCode="4672" Message="アカウント名:\t\tWIN.+"

*Note 1

If you need to implement filtering on the indexer side, edit the indexer's props.conf and transforms.conf.

See the link below for more information on how to implement filtering in your indexers.

https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Whitelistorblacklistspecificincomingdata

*Note 2

If the same file is specified in blacklist and whitelist, blacklist settings take precedence.

Also, numbered blacklists and whitelists are only supported from 1 to 9. Please do not assign more numbers.

All files not specified in either blacklist or whitelist will be read.

Please see the link below for details.

https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Whitelistorblacklistspecificincomingdata