I finally managed to set up WMI-based event log monitoring and it seems to work 🙂
The problem is that it's gonna give me way to many events. I want to pull just a subset of the events from the Applicatonlog. With ordinary WinEventLog input I could set up a whitelist/blacklist to limit the processed events at the forwarder level. The same doesn't seem to work with the WMI:whatever type of input.
Is there indeed no way to limit the ingested events? Do I have to do it further down the stream by selective routing on HF?