Hi
I want to drop all Windows Security Events (4624,4625 etc) with Logon Type:3
My first idea is to make filter on my Heavy Forvarder:
-------props.conf
[WinEventLog:Security]
TRANSFORMS-windows_events = win-event-cut-en
[host::server1]
TRANSFORMS-security = events-null, drop_logtyp3, win
may be i must to swap transforms (drop_logtyp3,win,events-null) ???
------transforms.conf
[events-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[win-event-cut-en]
DEST_KEY = _raw
REGEX = ((.*+[\v])+)(?=This event is generated)
FORMAT = $1
[win]
REGEX = (?msi)^EventCode=(4624|4625|528|529|530|531|532|533|534|535|536|537|538)
DEST_KEY = queue
FORMAT = indexQueue
[drop_logtyp3]
REGEX = (?msi).*Logon\sType:\s*3\D
DEST_KEY = queue
FORMAT = nullQueue
When I try my REGEX stanza in search i have a right result (no events with Logon Type:3):
host="server1" | regex _raw != (?msi).*Logon\sType:\s*3\D
But it's not work in transforms.conf.
Second idea is to use blacklist in the inputs.conf on my Universal Forwarder (ver 6.3.3 64bit) wich installed on the server1
but i cant find any examples with regex in blacklist
only simple list of eventcodes: blacklist = 4624, 4625
e.t.c.
Tell me please where is my mistakes.
↧