I need to filter all windows event log records from being indexed. I am using the universal forwarder, so on my indexers, I have the following:
[host::myserver] TRANSFORMS-winlogs = FilterWinSecurityLogs
[FilterWinSecurityLogs] REGEX=sourcetype=(WMI*|WinEvent*) DEST_KEY=queue FORMAT=nullQueue
THis doesn't seem to work.
Is the * wildcard valid in the REGEX valid?
That would disable it across all windows servers. I just need it for ONE server. My transforms currently looks like this but is not working
[FilterAllWMILogs] SOURCE_KEY = sourcetype REGEX = .*WMI* DEST_KEY = queue FORMAT = nullQueue
Hm. that SHOULD work, even if I would say that the REGEX should be;
REGEX = .xWMI.x
Where the x's above are asterisks. sorry about the formatting.
Are you referencing it correctly from props.conf (I saw you had changed the name of the transforms stanza).
I haven't used this type of transform myself, but I don't see why this should pose any real problems.
The best would naturally be to disable the monitoring on the host in question.
If this (for some odd reason) is NOT the way to go, then you should alter the transforms stanza like so;
[FilterWinSecurityLogs] SOURCE_KEY = sourcetype REGEX = .*WinEventLog.* DEST_KEY = queue FORMAT = nullQueue
Hope this helps,