Hi
I want to drop all Windows Security Events (4624, 4625, etc) with Logon Type:3
My first idea is to make filter on my Heavy Forwarder:
props.conf
[WinEventLog:Security]
TRANSFORMS-windows_events = win-event-cut-en
[host::server1]
TRANSFORMS-security = events-null, drop_logtyp3, win
Maybe I must swap transforms (drop_logtyp3, win, events-null)?
transforms.conf
[events-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[win-event-cut-en]
DEST_KEY = _raw
REGEX = ((.*+[\v])+)(?=This event is generated)
FORMAT = $1
[win]
REGEX = (?msi)^EventCode=(4624|4625|528|529|530|531|532|533|534|535|536|537|538)
DEST_KEY = queue
FORMAT = indexQueue
[drop_logtyp3]
REGEX = (?msi).*Logon\sType:\s*3\D
DEST_KEY = queue
FORMAT = nullQueue
When I try my REGEX stanza in search, I get the correct result (no events with Logon Type:3):
host="server1" | regex _raw != (?msi).*Logon\sType:\s*3\D
But it does not work in transforms.conf.
Second idea is to use blacklist in the inputs.conf on my Universal Forwarder (ver 6.3.3 64bit) which installed on the server1, but I can't find any examples with regex in blacklist, only a simple list of eventcodes: blacklist = 4624, 4625
e.t.c.
Tell me please, where are my mistakes?
↧