Hello guys
I'm trying to drop the end of all Security events:
This event is generated when a logon session is created. It is generated on the computer that was accessed.
....
My conf files on Heavy Forwarder is:
transforms.conf
[win-event-cut-en]
DEST_KEY = _raw
REGEX = ((.*+[\v])+)(?=This event is generated when)
FORMAT = $1
props.conf
[WinEventLog:Security]
TRANSFORMS-windows_events =win-event-cut-en
However, this does not work.
↧
How to configure a heavy forwarder to filter out the ending string from Windows security event logs?
↧