Currently trying to limit logs out of the application, security, and system logs. I want to send only application and system critical/error to one index and security to a different index.
[WinEventLog://Application] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest index=machine [WinEventLog://System] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest index=machine
Props.conf [WinEventLog:Application] TRANSFORMS-FilterEvents = Win_App_Log_FilterErrorEvents
[WinEventLog:System] TRANSFORMS-FilterEvents = Win_Sys_Log_FilterErrorEvent
transform.conf
[Win_App_Log_FilterErrorEvents] REGEX = (?ism)Type=Error|Critical DEST_KEY = queue FORMAT = nullQueue
[Win_Sys_Log_FilterErrorEvent] REGEX = (?ism)Type=Error|Critical DEST_KEY = queue FORMAT = nullQueue
This is for the security event log
[WinEventLog:Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 0 checkpointInterval = 5 whitelist = 4674,4720,4725,4726,4727,4728,4740,4947,5136,5137,5141 index = labser_av_ads
I cant' see anything wrong with this.