Sure …
[WinEventLog://Application]
disabled = true
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
index=wineventlog
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="5136" Message="Class:(?!\s*groupPolicyContainer)"
blacklist4 = 4689,4703,4985,4799,5158
blacklist5 = EventCode="4688" Message="(?:Process Name:).+(?:SplunkUniversalForwarder\\bin\\splunk.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunkd.exe)|.+(?:Splunk UniversalForwarder\\bin\\btool.exe)"
blacklist6 = EventCode="4688" Message="(?:Process Name:).+(?:SplunkUniversalForwarder\\bin\\splunkwinprintmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunkpowershell.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunkregmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-netmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunkadmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunkMonitorNoHandle.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunkwinevtlog.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunkperfmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-wmi.exe)"
blacklist7 = EventCode="4688" Message="(?:Process Command Line:).+(?:--scheme)|.+(?:--no-log)|.+(?:-Embedding)"
blacklist8 = EventCode="4634" Message="(?:Account Name:).+(?:\$$)|.+(?:SYSTEM)"
blacklist9 = EventCode="4624" Message="(?:Account Name:).+(?:\$$)|.+(?:SYSTEM)"
renderXml=false
index=wineventlog
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = SourceName="Microsoft-Windows-DistributedCOM"
blacklist2 = SourceName="Microsoft-Windows-Security-SPP"
blacklist3 = SourceName="Microsoft-Windows-LSA"
blacklist4 = SourceName="MsiInstaller"
renderXml=false
index=wineventlog
[WinEventLog://Microsoft-Windows-AppLocker/Packaged app-Execution]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
evt_resolve_ad_obj = 1
index=wineventlog
[WinEventLog://Microsoft-Windows-AppLocker/Packaged app-Deployment]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
evt_resolve_ad_obj = 1
index=wineventlog
[WinEventLog://Microsoft-Windows-AppLocker/MSI and Script]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
evt_resolve_ad_obj = 1
index=wineventlog
[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
evt_resolve_ad_obj = 1
index=wineventlog
[admon://default]
disabled = true
monitorSubtree = 1
[WinRegMon://hkcu_run]
disabled = 0
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows
[WinRegMon://hklm_run]
disabled = 0
hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows
But I don't think that the Problem is related to the Inputs.conf. If I check the Windows Events, I see a TaskCategory Field, but i cannot search for it.
... View more