Hello, I try to modify the behaviour of a forwarder installed on a Windows server. I would like to prevent the forwarder from sending WINDOWS events EventType=4
I have tried everything but still doesn't work, all EventTypes (1, 2,3, 4) are still forwarded
Thanks for your help
My props.conf is :
[WMI:WinEventLog:System]
TRANSFORMS-wmi=wminullEvents
[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminullEvents
[WMI:WinEventLog:Application]
TRANSFORMS-wmi=wminullEvents
Transforms.conf is :
[wminullEvents]
REGEX=(?msi)^EventType=(4)
DEST_KEY=queue
FORMAT=nullQueue
... View more