Ciao Giuseppe,
thanks for your comment.
I think i'm missing something...just to be clear,I'm trying to filter windows event logs and not custom.
In another stanza I have these settings that are running correctly :
[WinEventLog://Security]
index = winsecevents
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662|566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="4634|4624" Message="Logon Type:\s+3"
blacklist3 = EventCode="4648|4658" Message="Process Name:\s+C:\Program\sFiles\Microsoft\sAzure\sAD\sSync\Bin\miiserver.exe"
renderXml=true
The difference is just the keyword "blacklist" instead of "whitelist" but this one :
whitelist = EventCode="104" TaskCategory=".*Log\sclear"
or this :
whitelist = EventCode="104" Message=".+\slog\sfile\swas\scleared."
looks totally correct to me.
Thanks.
... View more