I've been filtering Windows Security events for a while now without any issue by using:
props.conf
[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wmisecnull
transforms.conf
[wmisecnull]
REGEX=(?m)^EventCode=(8|33|674|916|4770|5145|5157|4688|4689)
DEST_KEY=queue
FORMAT=nullQueue
then I made these edits
props.conf
[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wmisecnull
WMI:WinEventLog:Application]
TRANSFORMS-wmi=wmiappnull
transforms.conf
[wmisecnull]
REGEX=(?m)^EventCode=(8|33|674|916|4770|5145|5157|4688|4689)
DEST_KEY=queue
FORMAT=nullQueue
[wmiappnull]
REGEX=(?m)^EventCode=(916)
DEST_KEY=queue
FORMAT=nullQueue
after these edits, the events that used to be filter are nolonger filtered.
the opening "[" is missing at WMI:WinEventLog:Application,is it what you have in conf file or it's only typo in your post?
As well i would change its TRANSFORMS-wmi= for TRANSFORMS-wmiapp= just to be sure there is no conflict with first one.
Can you have multiple regex under on stanza or do i have to make a one to one relationship between props and transforms even if the source type and action are the same.
the opening "[" is missing at WMI:WinEventLog:Application,is it what you have in conf file or it's only typo in your post?
As well i would change its TRANSFORMS-wmi= for TRANSFORMS-wmiapp= just to be sure there is no conflict with first one.
once I put in the missing[ the world started spinning again!