I have the following requirement:<ul><li> send WinEventLog://Application , except for one specific EventCode to one index</li><li> send that specific EventCode to another index</li></ul>
While I can get one of both requirements to work at a time, I can't figure out how to do do both simultaneously.
In one forwarder app my inputs.conf looks like this:
<pre>
[WinEventLog://Application]
disabled = false
blacklist = 33205
index = index1</pre>
and in the other one I have<pre>
[WinEventLog://Application]
disabled = false
whitelist = 33205
index = index2</pre>
Anyone got something like this to work without resolving to props.conf/transforms.conf magic on the indexers? (Which I want to avoid, due to the sheer data volume.)
Is it maybe not possible to have two input stanzas for WinEventLog://Application?
(UFW: v6.2.1 / servers: v6.2.4)
↧
