Hi
I need to collect all Windows security logs from my infrastructure with Splunk UF installed which include specific Keyword
I'm using following config for Splunk add-on for Windows, but this results in collecting all logs from server.
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
whitelist1 = (?msi)^Workstation\s+Name\:\s+KEYWORD
index = wineventlog
renderXml=false
How can I do this correctly?
↧