I am trying to customize the Splunk Forwarder to send only certain logs. It looks like it is working correctly when I only add event IDs to the blacklist. What I would like to do is also add specific process names to exclude. I have looked over other questions/answers and I believe I am doing it correctly from what they are showing. But with my blacklists, it blocks all events when I put the Event ID in the blacklist, regardless if I put a message filter in as well. I would like to use the new process name as the second filter along with the Event ID, but I don't think you can use that. So I was trying to use Message and grab the process path from that. Below is what I have put into the inputs.conf file, just for testing purposes to see if I could stop getting this one specific 4688 event, but it doesn't appear to do it correctly. Any advice would be helpful. Also, if there is some way to filter by process path name specifically before sending to the log server, that would be great
[WinEventLog://Security]
disabled = 0
blacklist1 = EventCode="4688" Message="*Files\SplunkUniversalForwarder\bin\splunk-powershell.exe*"
Thanks
William
↧