Filter attempts (whitelist or blacklist) on Message key value data appear to behave differently when renderXml = True compared to when renderXml = False.
Taking the following Event Message data for example:
fragment_beginC:\Windows\System32\ping.exefragment_end
When renderXml = False, the following expression succeeds in filtering events:
blacklist = Message=".*\\(calc|ping).exe"
However, when renderXml = True, the same expression fails to filter events.
After trying a various filtering strategies on this Message key/data when renderXml = True, it appears that matching fails any time when XML character entities (quote, ampersand, single quote, greater than, less than) are included in the pattern for matching.
I've tried cancelling these characters various ways (backslash, name, decimal) to no success.
Can anyone think of a workaround?
↧