At the indexer, we are trying to exclude event records from incoming windows logs that have Logon_Type=3.
Below is the configuration that we have, but doesn't seem to work. Also, is there a way to test this code via the Search option in the UI before putting in the conf files?
props.conf entry:
[source::WinEventLog:Security]
TRANSFORMS-nullq=Remove_Logon_Type_3
transforms.conf entry:
[Remove_Logon_Type_3]
REGEX=(?msi).*Logon Type:\s*3\D
DEST_KEY=queue
FORMAT=nullQueue
Sample of event record below, so are trying to eliminate records based on matching a text string (in said record); because not sure if we can explicitly name a specific field like "Logon_Type".
09/04/2013 06:18:26 PM
LogName=Security
SourceName=Security
EventCode=538
EventType=8
Type=Success Audit
ComputerName=SNODEV106
User=polypaths
Sid=S-1-5-21-1971354296-1767978563-709122288-167354
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=3049159
Message=User Logoff:
User Name: polypaths
Domain: CGUSER
Logon ID: (0x0,0x644269C)
Logon Type: 3
Please advise. Thanks… Al