Sorry if this has been asked before but I couldnt see the same such post.
I want to include some specific windows logs and exclude all others. From what I can see the below config is including other events too - is this because I have Application and System Stanzas with no whitelists? Or do I need to include a blacklist too within this stanza?
Your whitelist should work, but if you have other WinEventLog stanzas present and do not want to index their events, do set disabled = 1 in those stanzas. By default, all events in the referenced event log will be indexed.
thanks for the reply. I think that was just my understanding of whitelisting. do you know of an easy way to find what windows events would sit in which stanzas? most of the time it will be obvious but for some events they could legitimately sit in either camp.
