Yes, you should use this in you inputs.conf file :
[WinEventLog://Security]
disabled = 0
We do the exact same thing, furthermore we sort out event number we don't need using event ID exctracted from :
http://support.microsoft.com/kb/977519
Here's what our transforms.conf looks like :
[grab]
REGEX = (?msi).*EventCode=(4624|4634|4625|4740|4767|5143|4670|4670|4663|4670|4670|4660|4663|5143|4657|4720|4722|47239|4724|4738|4725|4726|4738|4727|4731|4728|4732|4729|4733|4730|4734|6144|4674|4674|4674|4608|4609|4610|4611|4612|4614|4616|528|538|540|529|682|531|551|537|539|552|4623|4672|4647|4648|560|562|4656|4658)
DEST_KEY = queue
FORMAT = indexQueue
There are many posts for Windows event filtering. Have a look at them.
http://answers.splunk.com/answers/29218/filtering-windows-event-logs