I am trying to remove generic service account names from the Windows Security log, so that we can focus on indexing only the specific user accounts. Am I missing something in my inputs.conf?
[WinEventLog://Security]
disabled = 0
index = "index"
sourcetype = "sourcetype"
blacklist = Account_Name=name1| name2|name3|name4|name5
Thank you in advance.
↧