I have the following stanza in the universal forwarder Splunk 6.3:
[WinEventLog://Security] disabled = 0 blacklist1=EventCode="4656" blacklist2=EventCode="5156" blacklist3=EventCode="4658" blacklist4=EventCode="5145" blacklist5=EventCode="5158" Blacklist6=EventCode="4663" Message="ZettaMirror_Sync"
The EventCode only blacklists function as expected, however, adding the Message filter does not. What you see here is the latest of many attempts at regEx's paired down to nothing, tried
.*ZettaMirror.*, tried using
Process_Name=".*Zetta.*" instead of Message, etc. The actual log event I want to get rid of is this one:
11/25/2015 04:20:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=hostname.domain.int TaskCategory=File System OpCode=Info RecordNumber=517360030 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: HOSTNAMEREDACTED$ Account Domain: REDACTEDDOMAIN Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: \Device\HarddiskVolumeShadowCopy59\redactedDirectory\somepath.pdf Handle ID: 0x4a8 Process Information: Process ID: 0xcec Process Name: C:\Program Files\Zetta\ZettaMirror\ZettaMirror_Sync.exe Access Request Information: Accesses: ReadData (or ListDirectory) Access Mask: 0x1