Hello,
I am looking for a help here, this is a very weird issue that I am facing. I have a requirement to monitor Event ID 4624 and 4625 from a specific set (10) of servers.
I have used following inputs.conf, but instead of receiving these specific events data, i am receiving some other event codes such 4670, 4719, 4742, 4738 etc.
I have tried almost all possible ways, but unable to understand what's really happening here.
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
# only index events with these event IDs.
whitelist = 4624, 4625
index = wineventlog
sourcetype = xyz
renderXml=false