Hey guys.
I want to exclude all messages from WinEventLog:Security except those containing the word "delete"(for deleted file audit).
I was trying 2 ways:
1st: in inputs.conf
[WinEventLog://Security]
whitelist1 = "delete"
disabled = 0
2nd:
props.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = delete
DEST_KEY = queue
FORMAT = indexQueue
transforms.conf
[source::WinEventLog:Security] or [source::WinEventLog://Security] (with // like in inputs.conf)
# Transforms must be applied in this order
# to make sure events are dropped on the
# floor prior to making their way to the
# index processor
TRANSFORMS-set = setnull, setparsing
Both of this doesn't work and i take all events.
What is the difference between these two approaches and what did I do wrong?
↧