Hi, I would like to filter out some event logs coming from different forwarders. I have been able to filter out some specifics winevents coming from security log. Now I would like to optimize my indexing and filter other events from other sources like application events. It is not working when I am adding a new stanza in transforms.conf. Only winevent security is filtered out.
Would you please have an idea ? Here is below my files:
--------props-----
[WinEventLog:Security] TRANSFORMS-Security=setnull,setparsing
[WinEventLog:Application] TRANSFORMS-Application=setnull2,setparsing2
-----------transforms----------- [setnull] REGEX = (?m). DEST_KEY = queue FORMAT = nullQueue
[setnull2] REGEX = (?m)^Database_copy=(MailDB_14|MailDB_04) DEST_KEY = queue FORMAT = nullqueue
[setparsing] REGEX = (?m)^EventCode=(5157|4625|4624|7036|1102|1033) DEST_KEY = queue FORMAT = indexQueue
[setparsing2] REGEX = (?m). DEST_KEY = queue FORMAT = indexQueue
Thank you Joffrey