Hi,
At the moment I am testing Splunk at work. So far, I only have a single Splunk Enterprise instance (acting as deployment server) and a Win7 workstation.
I created a simple app with the purpose of catching EMET events. Its inputs.conf file only contains the following lines:
[WinEventLog://Application]
disabled = 0
whitelist= SourceName="EMET" EventCode="(^1$|^2$|^11$|^50$)"
[WinEventLog://Security]
disabled = 1
[WinEventLog://System]
disabled = 1
I created the app in the server, created the server class for Windows 7 workstations and assigned the app to that server class.
After restarting both Splunk server and the client, the app files are copied to the client, but it doesn't seem to filter anything.
In order to to do some troubleshouting, I run in the client the following debug command:
splunk cmd btool inputs list --debug
and I can see in the output that the file was partially parsed... only one line appears to be taken... the two lines `disabled =1` were omitted.
Any idea what can be happening? Any tip I could follow?
Many thanks.
Jose
↧