In regards to the Windows Event Log filtering in the newer 6.0+ forwarders. I'm looking for some help on filtering out events what aren't required for us to keep and are really eating into our license usage. The event code is 4624 and I want to remove events where the second Secrurity_ID filed contains a "$" at the end.
I've tried the following with no luck and am wondering if this is even possible:
From what I understand in the docs, for the event to be filtered out it needs to match all conditions of the blacklist. Based on my testing I am fairly certain this isn't the way to identify the second value of a field. Can anyone point me in the right direction to get this to work?