Hi everyone, Been trying to get regex syntax to behave. What I have below works. It only shows events that are from the source "EMET".
props.conf
[WMI:WinEventLog:Application]
TRANSFORMS-wmi=wminull,wmiparse
transforms.conf
[wmiparse]
REGEX=(?m)^SourceName=(EMET)
DEST_KEY=queue
FORMAT=indexQueue
I'm trying to get it to find EMET source events that are also Error logs.
props.conf
[WMI:WinEventLog:Application]
TRANSFORMS-wmi=wminull,wmiparse
transforms.conf
[wmiparse]
REGEX=(?m)^SourceName=(EMET).*^Type=Error
DEST_KEY=queue
FORMAT=indexQueue
But that doesn't seem to work. Any ideas?
Thanks, -S