|
Hi, How can I filter out "type=Success Audit" logs off a windows event and log only the failure logs? Currently I have this in transform.conf: It is filtering off all of 673 but now I will like to capture the failure logs of 673 but not the success logs. Am just wondering if something like this can be done? Thanks |
|
I think something like this will work for you: I would recommend reading up on regex syntax here: On second glance, I'm not sure that your given example stanza should work the way you want it too. If you have a regex that's matching EventCode=673, then only those events would be sent to the null queue and everything else would be indexed as normal. So you really need a regex that matches everything but event code 673. Then to meet your full requirements (filtering out the success messages), you would want a regex that filters out everything but failure 673 events. Another approach is to use two transformers, the first one routes all events to the You may find some more helpful examples on how to do this here: |
|
Hi, If two transformers are used, the first one routes all events to nullQueue, which we will not be able to capture any other events then?? Your REGEX seems to be working fine and thanks for the link. |
|
I got it mistaken.It doesn't seem to be working..
Using the REGEX I've tried to filter off based on User instead: Here is a sample of Windows event: |
|
I had to set something up like this. They wanted a list of the top 20 failed login by userid. I set the following up as an event type: index="prod_dc_event_logs" sourcetype="security" Type="Failure Audit" EventCode="538" OR EventCode="540" OR EventCode="680" Then I set the following search up: eventtype="WINTEL_FailedLogin" | chart count by Logon_account | sort 20 - count Brian |
Do your WinEventLogs contain spaces between the keys and values. For example, do you see "EventCode = 673", or "EventCode=673"?
I see Eventcode=673 without spaces.