Hallo,

i need help for this stanza. I want only Events for "EventCode=4624 and Logon_Type=10" .
Whitelist2 works fine.

[WinEventLog://Security]
disabled = false
start_from = oldest
evt_resolve_ad_obj = 0
checkpointInterval = 5
whitelist1 = EventCode=%^(4624)$% Logon_Type=%^10$%
whitelist2 = EventCode=%^(4625|4647|4720|4722|4724|4725|4726|4738|4781)$%
index = infrastrukturlog_windows

Thank you

Gerd