My previous configuration to filter windows event codes doesn't work when I used it on another machine that is pulling data via WMI. My objective is to filter off event codes 538,540,672,673,861 and "Success Audit" type for code 578.
My existing configuration is:
Any idea what I've missed?
don't know why but after I meddle around with the naming..it seems to work after that..
answered 20 Oct '10, 03:59
Can you clarify your input configuration? Are you pulling events from remote eventlogs or from local ones?
If it's from local ones, you should use a stanza of
Also, if you're forwarding, then it will not use the wmi stanza on the recieving end, only the sending, so you'll need the proper spec
Also, I'd change the transform names to
answered 18 Oct '10, 11:07