WMI winevent log Events not being sent to nullQueue

anupgurung — Thu, 18 Nov 2021 16:13:25 GMT

I am trying to send the following WMI winevent log event to the Null queue as it needs to be dropped.But this dosn't seems to be working. Can someone help me on this?

I have configured the props & transform in Heavy Forwarder like-

props.conf
[source::WinEventLog:Microsoft-Windows-WMI-Activity/Operational]
TRANSFORMS-null = wmi-setnull

transforms.conf
[wmi-setnull]
REGEX =((.|\n)*)EventCode=5857\s+((.|\n)*)ProviderPath\s+=\s+(%systemroot%\\system32\\wbem\\(wmiprov\.dll|ntevt\.dll|wmiprvsd\.dll)|C:\\Windows\\(System32\\wbem\\krnlprov\.dll|CCM\\ccmsdkprovider\.dll)|C:\\Program\sFiles\\(Microsoft\sSQL\sServer\\.*\\Shared\\sqlmgmprovider\.dll|VMware\\VMware Tools\\vmStatsProvider\\win64\\vmStatsProvider\.dll))
DEST_KEY = queue
FORMAT = nullQueue

topic WMI winevent log Events not being sent to nullQueue in Getting Data In

WMI winevent log Events not being sent to nullQueue