Hello guys
I'm tring to drop the end of all Security events:
This event is generated when a logon session is created. It is generated on the computer that was accessed.
....
My conf files on Heavy Forwarder is:
[transforms.conf]
[win-event-cut-en]
DEST_KEY = _raw
REGEX = ((.*+[\v])+)(?=This event is generated when)
FORMAT = $1
[props.conf]
[WinEventLog:Security]
TRANSFORMS-windows_events =win-event-cut-en
It's not works.
↧
