Filter out events Windows before Indexing

Hi Guys! How to create a filter to discard Windows logon events (EventID = 4624), but only when the LogonProcessName field is equal to 'NtLmSsp'? The logs are in XML format. I've tried several REGEX, but none worked. Please, who has an idea? 4624/EventID>201254400x8020000000000000602433466SecurityDC01.mydomain.comNULL SID--0x0MTI\user01user01mydomain0x2807316813NtLmSsp NTLMCOMP01{00000000-0000-0000-0000-000000000000}-NTLM V200x0---%%1833---%%18430x0%%1842 *props.conf* [XmlWinEventLog] TRANSFORMS-set=setnull *transforms.conf* [setnull] REGEX = (?m)(4624<\/EventID>).+(NtLmSsp\s+<\/Data>) DEST_KEY = queue FORMAT = nullQueue - Other REGEX used unsuccessfully: REGEX = (?m)EventCode\s*=\s*4624.*?LogonProcessName\s*=\s*NtLmSsp\s REGEX = (?m)LogonProcessName=(NtLmSsp) REGEX = (?m)^EventCode=(4624).+(LogonProcessName=NtLmSsp) Thank you very much in advance. []s