I have setup the following inputs.conf stanza
:
[WinEventLog://Security]
disabled=0
current_only=1
blacklist1=EventCode=4662 Message=”Object Type:\s+(?!groupPolicyContainer)”
I am using windows universal forwarder 6.1.1 and the latest windows-TA
The issue here is that the EventCode=4662 needs to be surrounded by some sort of delimiter , per the following in inputs.conf
In key/regex formn, the first character of the regex is the delimeter. Valid regexes look like:
%regex% regex "regex" etc. The only restriction is that the delimiter cannot be within the regex itself.
http://docs.splunk.com/Documentation/Splunk/6.1/Admin/Inputsconf
So if you instead add a delimiter , EventCode="4662" this will resolve the issue
blacklist1=EventCode="4662" Message=”Object Type:s+(?!groupPolicyContainer)”
should work
The issue here is that the EventCode=4662 needs to be surrounded by some sort of delimiter , per the following in inputs.conf
In key/regex formn, the first character of the regex is the delimeter. Valid regexes look like:
%regex% regex "regex" etc. The only restriction is that the delimiter cannot be within the regex itself.
http://docs.splunk.com/Documentation/Splunk/6.1/Admin/Inputsconf
So if you instead add a delimiter , EventCode="4662" this will resolve the issue
blacklist1=EventCode="4662" Message=”Object Type:s+(?!groupPolicyContainer)”
should work
Thanks bro. That did it for me.