I was wondering if there is any way to filter eventcodes, but not every event that is being passed through. For example is there a way to block EventCode 4624, but just the debug messages and let the rest pass?
This is what we currently have to block windows EventCodes:
REGEX=EventCode=(4624|4776|4662|4634|4688|4648|4907|4768|4624||538|560|552|534)
We want to remove EventCode=4624 leaving the rest. the EventCode=4624 is generated because of "An account was successfully logged on" event on all servers. We want this enabled for most windows servers, but want to block this event from our 13 domain controller hostnames. Is it possible to have multiple regexes sending to null Queues?