Hi,
For a while, I try to find the problem(here and testing), but nothing yet.
I want to filter out some login and logout events with blacklisting. Input stanza looks like this:
[WinEventLog://Security]
disabled = 0
renderXml= false
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode=”4624” Message="ServerAccount[3-6]\$"
blacklist4 = EventCode=”4634” Message="ServerAccount[3-6]\$"
So, I dont't need the events with the account names ServerAccount3$, ServerAccount4$, ServerAccount5$ and ServerAccount6$
What am I doing wrong? Please help, it's quite an urgent task.
Regard,
István
↧