I have a UF running on a linux device, with a TCP input. The input is coming from a Graylog forwarder and all the windows events coming with a 'winlogbeat_ preface.
I want to black list windows events coming by event code and normally I use a blacklist -= EventCode="xxxx" Message=....
however the eventcode comes in as winlogbeat_event_id,
I did try this:
blacklist1= winlogbeat_event_id = "4662"
This doesn't appear to work.
Can someone help with this?
Is there anylog that shows events being whitelisted or blacklisted?
Thank You!
↧