Hi,
I am trying to pull event logs from remote machines using universal forwarders. I have done the configuration in the inputs.conf files.
below is the configuration in my inputs.conf file.
[WinEventLog://Application]
disabled = 0
index = win_events
crcSalt = SOURCE
[WinEventLog://Security]
disabled = 0
index = win_events
crcSalt = SOURCE
[WinEventLog://System]
disabled = 0
index = win_events
crcSalt = SOURCE
[WinEventLog://Setup]
disabled = 0
index = win_events
crcSalt = SOURCE
Now I dont want all event codes from the logs. I would require only 4800 and 4801.
is there any way in which only the events related to the two events can be forwarded to an index.
Thanks
↧