Per these docs [http://docs.splunk.com/Documentation/Splunk/6.1.4/Data/MonitorWindowsdata][1] I have changed from the old way of using transforms to filter out unwanted Windows Events from logs I am monitoring to using a whitelist in inputs.conf. I am sending these to forwarders on various windows systems using deployment monitor. While restarting a Splunk forwarder that had died for some reason, I got this error on startup:
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\Splunk\etc\apps\OIT_WINEVENT_DC_INDEX_WIN_01\default\inputs
.conf, line 23: whitelist (value: 528-535,539-540,624-626,632,636,659,642-644,660,675-676,671-672,680-681,1100,1102,1104,1108,4612,4616,4618,4624-4625,4634,4720,4728,4732,4738,4740,4756,4767-4768,4771-4772,4776,5461 )
Here is the stanza from the inputs.conf file in question:
[WinEventLog:Security]
disabled = 0
index= winevent_dc_index
whitelist = 528-535,539-540,624-626,632,636,659,642-644,660,675-676,671-672,680-681,1100,1102,1104,1108,4612,4616,4618,4624-4625,4634,4720,4728,4732,4738,4740,4756,4767-4768,4771-4772,4776,5461
It looks just like the example in the documentation. Also, this blog entry says it should work in Splunk 6: [http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/][2]
So, why is this not working?
I also ran btool (it says the same thing):
C:\Program Files\Splunk\bin>splunk btool check --debug
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\Splunk\etc\apps\OIT_WINEVENT_DC_INDEX_WIN_01\default\inputs.conf, line 23: whitelist (value: 528-535,539-540,624-626,632,636,659,642-644,660,675-676,671-672,680-681,1100,1102,1104,1108,4612,4616,4618,4624-4625,4634,4720,4728,4732,4738,4740,4756,4767-4768,4771-4772,4776,5461 )
[1]: http://docs.splunk.com/Documentation/Splunk/6.1.4/Data/MonitorWindowsdata
[2]: http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
↧