Thanks for the response. I was able to get Security events to forward but wasn't able to get filtering to work. I think I'm pretty close but maybe have a typo or something missing.
Here's what I have configured.
inputs.conf
[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
props.conf
[WinEventLog:Security]
TRANSFORMS-set= setnull
transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = (?m)^EventCode=(4634|4624)
DEST_KEY = queue
FORMAT = indexQueue
Thanks.
... View more