Problem: a hundred servers with the basic event logs (system, application, security) plus various other custom log containers. I want to get all the log containers but not the security log. All the servers don't have the same set of custom log containers so one conf file defining all the logs specifically isn't easy. Also, custom event logs get added regularly so the conf file will not be static.
Is there a way to create a conf file that will use a wildcard for the event logs and also not a specifc one that i won't have to change often?
I think your best bet at this point is to take a look at your servers and group them into logical groups of servers with the same logs. Then look into setting up a deployment server (which can be housed on your main splunk instance, or any other, doesn't matter) to push out the relevant configs to the logical server groups.
You can have one default config that gets pushed to every server to monitor the standard logs found on all Windows server (Application, System, skipping Security in your case) and then additional configs for the logical groups that have additional log sources in common.
This will entail a bit of planning and a bit of change control process around adding new log sources on your servers, but will end up making your whole installation a lot easier to manage.
No there is no pattern to the names/containers. They are based on the names of the application. Regarding wildcarding or regex, we would need the ability to specifically exclude one or more logs but include the rest. Something like $eventLogList = AllEventLogs | where EventLog <> ("Security" OR "Sytem") as an example.