Hi,
So I am using Windows Universal forwarder (6.4.1) to forward data to indexers (6.5)
I have a filter setup in inputs.conf on UFs:
[WinEventLog://Security]
disabled = 0
index = test
sourcetype = windows
blacklist1 = EventCode="4662" Message=”Object Type:\s+(?!groupPolicyContainer)”
blacklist2 = EventCode="566" Message=”Object Type:\s+(?!groupPolicyContainer)”
blacklist3 = 560,567,7035,7036,592,593,595,4656,4663
blacklist4 = Message="Account Name:[\s]*(.*\$)"
blacklist5 = Message="Account Name:[\s]*HealthMailbox.*"
The problem is that I can see blacklists1-4 working, i.e not getting any events corresponding to those codes/regexes,
but blacklist5 doesn't work, i.e still seeing the events with Account Names containing "HealthMailbox" in it. I have spent enough
of my time beating my head around trying to think what could be the cause of this behavior but couldn't find a solution.
Is there something I am missing?
Thanks for the help.
Fatema.
↧