I'm trying to whitelist a few event logs by eventcode as well as whitelist all events with the SourceName "AD FS Auditing". My config is as follows.
[WinEventLog://Security]
whitelist= 4624, 4625
whitelist1= SourceName="AD FS Auditing"
index=windows_evt
With this config any events i put in the first whitelist line work perfectly, but the second line is not functional. As a test if I add an event code that will have a SourceName of "AD FS Auditing" (say EventCode=500) they come in just fine. I have tried various combinations of things for source name such as "^AD FS Auditing$" and ".*AD FS Auditing.*" with no success.
... View more