Hello.
I need to monitor events with EventCode="4656 on windows server. But only events with string "ObjectType: File" in Message.
inputs.conf
Blacklist1 = EventCode="4656" Message="ObjectType:\s+(!?File)"
But with my conf it doesn't work.
Where is mistake?
There's no need for a capturing group. Also, (!?
is not a valid regex construct. Perhaps you meant (?!
, but there's no need for negation.
Have you tried whitelist1 = EventCode="4656" Message="ObjectType:\s+File"
?
There's no need for a capturing group. Also, (!?
is not a valid regex construct. Perhaps you meant (?!
, but there's no need for negation.
Have you tried whitelist1 = EventCode="4656" Message="ObjectType:\s+File"
?