We are attempting to filter out events that we do not wish to index.
In props.conf:
[source::WinEventLog:Security]
TRANSFORMS-nullq=DropFilteringPlatform
In transforms.conf:
[DropFilteringPlatform]
REGEX=(?msi)^TaskCategory=Filtering\\sPlatform
DEST_KEY=queue
FORMAT=nullqueue
My first question is, does that look like it would filter out the Windows Platform Filtering events?
The second question, though probably stupid is, what is the difference between null and nullq in the props.conf? I'm also curious about the queue, nullqueue, and null in transforms.conf, is there a document that explains any of that?
The last question is, I want to pull in WMI data from any terminals that come on a specific subnet. When adding in the data to search for with WMI, is there a way to make it pull from an entire subnet?
Thanks in advance for any help.
... View more