I am using Universal Forwarders installed on my domain controllers, and I am successfully filtering specific events (props.conf and transform.conf are show below). This is working as we want it to work, and the data is being indexed into "SecEvents".
I want to add a new server and index into the same index (SecEvents); however, the list of event IDs are different. How can I filter from multiple sources? I've tried adding the host into the REGEX in the transform - but nothing I've tried works.
For sake of simplicity - let just say I want events 1000 and 2000 from the "new server", and I want them to drop into the SecEvents index.
Thanks for your help!
Contents of props.conf
`
[WinEventLog:Security]
TRANSFORMS-security = events-null, events-filter
`
Contents of transform.conf
`
[events-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[events-filter]
#The last 3...may generate a lot...watch for them
REGEX=(?m)^EventCode=(4720|4722|4724|4725|4726|4727|4728|4729|4730|4731|4732|4733|4734|4735|4737|4740|4741|4743|4744|4745|4746|4747|4748|4749|4750|4751|4752|4753|4754|4755|4756|4757|4758|4759|4760|4761|4762|4763|4767|4771|4723|4625|6272|6273|6278)
DEST_KEY = queue
FORMAT = indexQueue
`
↧