I've tried to filter native event logs being indexed using the [WinEventLog...] sourcetype. Here are the config:
[WinEventLog:Security] TRANSFORMS-set = delete
[delete] REGEX = .*EventCode\=540.* DEST_KEY = queue FORMAT = nullQueue
Wondering if this is a bug?!
Though you don't actually say, I assume your problem is the events with EventCode 540 are not being dropped and that you want them to be. I do not know of any bugs in this area.
However, if that is what you are trying to do, one problem is that the "
EventCode" you are presumably looking for is usually found at the beginning of a line, while the regex in your configuration requires a "
." before it. By default, "
." does not match line breaks, so your regex will not match what you intend. A regex that does do what you probably want is "
That works great! Yes I do want to drop specific events. How do you another condition in the regex? Say with the EventCode, I also want to include all username "Anonymous Logon"? I'm thinking on the regex "(?m)^EventCode=540.ANONYMOUS LOGON.Logon Type: 3"
I recommend adding a not-a-digit at the end of that regex. For example: "
(?m)^EventCode=540\D" just so you aren't matching some other event code.