Ok,I understood why it doesn't works. I have renderXml=true and if I check the windows event,there's not any field i was looking for. I must change the logic,parsing the raw xml and looking through it. ... View more

Ciao Giuseppe, thanks for your comment. I think i'm missing something...just to be clear,I'm trying to filter windows event logs and not custom. In another stanza I have these settings that are running correctly : [WinEventLog://Security] index = winsecevents disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662|566" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="4634|4624" Message="Logon Type:\s+3" blacklist3 = EventCode="4648|4658" Message="Process Name:\s+C:\Program\sFiles\Microsoft\sAzure\sAD\sSync\Bin\miiserver.exe" renderXml=true The difference is just the keyword "blacklist" instead of "whitelist" but this one : whitelist = EventCode="104" TaskCategory=".*Log\sclear" or this : whitelist = EventCode="104" Message=".+\slog\sfile\swas\scleared." looks totally correct to me. Thanks. ... View more

Hi there,the issue is related to the second part of the filter : taskcategory/message (they are on the same line but the post has been modified. ... View more