I am trying to remove generic service account names from the Windows Security log, so that we can focus on indexing only the specific user accounts. Am I missing something in my inputs.conf?
[WinEventLog://Security] disabled = 0 index = "index" sourcetype = "sourcetype" blacklist = Account_Name=name1| name2|name3|name4|name5
Thank you in advance.
Thanks Burch, I am going to run through this today. I did actually try narrowing it down to one single name initially; the odd thing was that the blacklist seemed to work for a lot of the names using Account_Name. I do agree with you though, that it does not seem to be a valid key to match on. I will try the 'User' and/or 'Message' field. I can always use a little guidance on RegEx 😉 Thanks again.
I believe that I may have captured the events with this:
disabled = 0
index = certification
Thank you for all the help. As always, the collaboration is greatly appreciated!!!
Thank you, I will try this shortly. I appreciate that advice on the sourcetype also. I will respond back as soon as I get the chance to test it out. Cheers.
I had done a restart on the forwarder itself and did a reload of the deployment server. For some reason it is not omitting all the accounts listed. I have even capture the event name as it shows.