I am sending some events to the nullQueue and it used to work in 4.0.x and 4.1.x, but now it is not sending any events to nullQueue. I have the following configuration:
props.conf
[wmi]
TRANSFORMS-nuke=wmi2nullQ
transforms.conf
[wmi2nullQ]
REGEX=(?im)(CategoryString=Logoff)[^$]+\s+(EventIdentifier=4634)
DEST_KEY = queue
FORMAT = nullQueue
Why does this no longer work? Nothing has changed since applying a newer 4.2.x release.
In 4.0.x and 4.1.x the stanza in props.conf had to be [wmi]
With 4.2.x you must use the actual sourcetype name.
For example:
[WMI:WinEventLog:Security]
TRANSFORMS-send2nullq= wmi2nullQ
In 4.0.x and 4.1.x the stanza in props.conf had to be [wmi]
With 4.2.x you must use the actual sourcetype name.
For example:
[WMI:WinEventLog:Security]
TRANSFORMS-send2nullq= wmi2nullQ