I am trying to filter out noise before it is sent to the indexer. We were using Windows Event Forwarding previously, that was able to filter but now I am trying to create the same filter. I am modifying inputs.conf on the server running a Universal Forwarder.
So, we are trying to filter out:
Event ID = 4688
SubjectLogonId = 0x3e7 (the local system account)
AND a list of processes that includes the full path, for example:
C:\Windows\System32\SearchFilterHost.exe
C:\Windows\SysWOW64\SearchProtocolHost.exe
I believe there are 12 or so in total.
It seems like this is doable, but it is recommended? If so, how?
I have not tested and will have to verify the variable names.
blacklist3 = EventCode="4688" SubjectLogonId="0x3e7" NewProcessName="C:\Windows\System32\SearchFilterHost.exe" | "C:\Windows\SysWOW64\SearchProtocolHost.exe"
I am thinking it will not be that simple and will need regex for SubjectLogonId AND NewProcessName. I am not sure if that is possible.
Thanks in advance for any guidance.
↧