Hello all,
I would like to exclude the following windows event log on the universal forwarder.
07/15/2020 08:38:55 AM
LogName=Microsoft-Windows-PowerShell/Operational
SourceName=Microsoft-Windows-PowerShell
EventCode=4103
EventType=4
Type=Information
ComputerName=HA-AGM-DB-01.SSI.LOCAL
User=NOT_TRANSLATED
Sid=S-1-5-21-2993187273-2588912068-3154952105-14529
SidType=0
TaskCategory=Executing Pipeline
OpCode=To be used when operation is just executing a method
RecordNumber=90748
Keywords=None
Message=CommandInvocation(Out-Host): "Out-Host"
CommandInvocation(Out-Default): "Out-Default"
ParameterBinding(Out-Default): name="Transcript"; value="True"
Context:
Severity = Informational
Host Name = ApmPSHost
Host Version = 1.0
Host ID = 85e424db-4fce-46cb-90d4-bace72bb3e2a
Host Application = SWJobEngineWorker2.exe 3e167b33-0a26-4f7e-9964-e38b1e939cc6 6612 AgentPlugin SolarWinds.APM.Probes
Engine Version = 5.1.14393.3383
Runspace ID = 3c6aab92-96b5-464d-8659-0e81de6d4ec9
Pipeline ID = 1
Command Name =
Command Type = Script
Script Name =
Command Path =
Sequence Number = 193
User = xxxxx
Connected User =
Shell ID = Microsoft.PowerShell
User Data:
Tried with this blacklist :
blacklist = EventCode="4103" Message="Host\sApplication\s=*SolarWinds.APM.Probes"
I got it:
blacklist1 = EventCode="4103" Message="Host Application =\s+.*SolarWinds.APM.Probes"
I got it:
blacklist1 = EventCode="4103" Message="Host Application =\s+.*SolarWinds.APM.Probes"
*Updated* Have a try with this blacklist stanza:
blacklist1 = EventCode="4103" Message="Host Application\s=\s*.*SolarWinds\.APM\.Probes"
Thanks, but not working