Hi
I want to filter wineventlogs on universal forwarder with blacklist config. But It doesn't work as described in the document.
Why is this not working_?
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=false
index=wineventlog
blacklist7 = EventCode="4624|4625|4634" User="\w+\$"
I just want to filter out usernames endswith $.
Happy splunking.
I wonder if the number needs to be sequential. It shouldn't matter, but have you tried
blacklist3 = EventCode="4624|4625|4634" User="\$$"
As far as I know it doesn't matter. also I tried and result is same.