Hi guys,
it seems there's something wrong with my inputs.conf whitelist configuration :
[WinEventLog://System]
index = winsecevents
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml = true
whitelist = EventCode="^104$" TaskCategory="^Log\sclear"
I tried of course with :
whitelist = EventCode="104" TaskCategory="Log clear"
or with the "message" conf like this one :
whitelist = EventCode="104" Message=".+log\sfile\swas\scleared\."
But nothing has changed.
Do you have some ideas?
Thanks a lot.
↧