Hi,
I would like to filter out some event logs coming from different forwarders.
I have been able to filter out some specifics winevents coming from security log.
Now I would like to optimize my indexing and filter other events from other sources like application events.
It is not working when I am adding a new stanza in transforms.conf. Only winevent security is filtered out.
Would you please have an idea ?
Here is below my files:
--------props-----
[WinEventLog:Security]
TRANSFORMS-Security=setnull,setparsing
[WinEventLog:Application]
TRANSFORMS-Application=setnull2,setparsing2
-----------transforms-----------
[setnull]
REGEX = (?m).
DEST_KEY = queue
FORMAT = nullQueue
[setnull2]
REGEX = (?m)^Database_copy=(MailDB_14|MailDB_04)
DEST_KEY = queue
FORMAT = nullqueue
[setparsing]
REGEX = (?m)^EventCode=(5157|4625|4624|7036|1102|1033)
DEST_KEY = queue
FORMAT = indexQueue
[setparsing2]
REGEX = (?m).
DEST_KEY = queue
FORMAT = indexQueue
Thank you
Joffrey
... View more