Here is what is on the server.
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="5156" Message=""
blacklist4 = EventCode="4656" Message=""
blacklist5 = EventCode="5158" Message=""
blacklist8 = EventCode="4690" Message=""
blacklist9 = EventCode="4673" Message=""
blacklist10 = EventCode="4660" Message=""
index = siem
renderXml=false
sourcetype=wineventlog
_meta = envir::PROD
[WinEventLog://System]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
index = siem
renderXml=false
sourcetype=wineventlog
_meta = envir::PROD
... View more