I would like to sent to nullQueue some windows security events based on some regex. So I have defined:
[WinEventLog:Security] TRANSFORMS-set= setnull,pruneprocesses,pruneusers,prunemachines,setparsing
[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [pruneprocesses] REGEX = Process\s+Name:\s*.*?(svchost.exe|lsass.exe) DEST_KEY= queue FORMAT = nullQueue [pruneusers] REGEX = Account\s+Name:\s*.*?(-|SYSTEM) DEST_KEY= queue FORMAT = nullQueue [prunemachines] REGEX = Account\s+Name:\s+[A-Z0-9-]+[\$] DEST_KEY= queue FORMAT = nullQueue [setparsing] REGEX = (?msi)^EventCode=(4624|4625|4634|4656|4659|4660)\D DEST_KEY = queue FORMAT = indexQueue
But, obviously, the events that matches one of the pruneusers, pruneusers or prunemachines AND matches the setparsing are indexed, while I would like that if an event matches one of the "prune" rules the event itself must NOT be indexed ... how can I do that?
Thank in advance