Some comments to the above post. Its better to remove stuff at the Universal Forwarder instead of HF or Index. So to remove 4662, add the following to an input.file # Used to block 4662 message [WinEventLog://Security] blacklist1 = 4662 Or you can do like this. Block all 4662 message except 4662 with Message="ms-Mcs-AdmPwd" [WinEventLog://Security] whitelist1 = EventCode="^4662$" Message="ms-Mcs-AdmPwd" whitelist2 = EventCode="^((?!4662$)[0-9]*)$" Take care with this: REGEX=EventCode=(4776|4662|4634|4688|4648|4907|4768|4624||538|560|552|534) This may block all, due to the double ||, I gess that is a typo. Also it will block 1552, 5525 etc, so here you should use ^ and $
... View more