Using Splunk 6.4.1
I am trying to monitor the WinEventLog://Security; however, I only need to monitor two EventCodes (4732 and 4624). Additionally, we are looking to remove all service accounts from the indexing. (i.e. NT AUTHORITY, kerberos, etc...)
I had tried using a black/white list with no luck and now I am working through trying to utilize transforms.conf.
Any help would be appreciated.
↧