Complete newb here, any help appreciated!
props.conf
[WMI:WinEventLog:Security]
TRANSFORMS-set= setnulla,parse2003secevents,parse2008secevents
[WMI:WinEventLog:System]
TRANSFORMS-set= setnullb,parse2003sysevents,parse2008sysevents
Transforms.conf
[setnulla]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[parse2003secevents]
REGEX =(?msi)^EventCode=(xxx|xxx)\b
DEST_KEY = queue
FORMAT = indexQueue
[parse2008secevents]
REGEX =(?msi)^EventCode=(xxxx|xxxx)\b
DEST_KEY = queue
FORMAT = indexQueue
[setnullb]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[parse2003sysevents]
REGEX =(?msi)^EventCode=(xxx|xxx)\b
DEST_KEY = queue
FORMAT = indexQueue
[parse2008sysevents]
REGEX =(?msi)^EventCode=(xxxx|xxxx)\b
DEST_KEY = queue
FORMAT = indexQueue
... View more