Hi All,
I'm tweaking my inputs.conf file to exclude some events for the Windows Security log.
I'm filtering EventCode 4688, by message. For compatibility reasons, I want to use the same inputs.conf file for all windows machines. But Windows 11 has tweaked a couple event logs, and one of those is 4688.
For Windows 10 and below the following blacklist is working as expected:
blacklist1 = EventCode="4688" Message="Token Elevation Type:(?!\s*%%1937)"
This filters everything except %%1937.
But this won't work for Windows 11, because they have changed the Token Elevation Type to "TokenElevationTypeFull" for the previously "%%1937". Therefore if a windows10 inputs.conf file ends up on a windows 11, it blacklists all the 4688 logs.
So simply, I would like to add the 2 lines together on a single line, so that if either TokenElevationType is found, it goes through. But the "|" operator doesn't seem to be working, or I'm not doing the correct syntax.
blacklist1 = EventCode="4688" Message="Token Elevation Type:(?!\s*%%1937)"
blacklist1 = EventCode="4688" Message="Token Elevation Type:(?!\s*TokenElevationTypeFull)"
Can anyone help marry these 2 checks with an OR operator?
Thank you
I think i've figured it out, just went a different direction with deny/allow syntax. I'm not sure if this is more CPU intensive than the first method since it would be checking 4 conditions instead of 2...
blacklist1 = EventCode="4688" Message="%%1936|%%1938|TokenElevationTypeDefault|TokenElevationTypeLimited"