I'm struggling to find the proper regex to adjust the blacklist for 4662 events.
I want to blacklist all 4662 events unless they are related to group policy or DNS.
I've tried a number of combinations. My latest running example is:
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!(groupPolicyContainer|dnsNode))"
Using this I get back no 4662 events.
So far while trying to research and understand RegEx I haven't figured out how to make this work.
I'm trying to ignore all events with the ID 4662 unless they are from the object type "groupPolicyContainer" or "dnsNode".
Example message field from an event:
An operation was performed on an object.
Subject : Security ID: domain\user Account Name: user Account Domain: domain Logon ID: 0x57634DF Object: Object Server: DS Object Type: groupPolicyContainer Object Name: CN=Configuration,DC=domain,DC=domain Handle ID: 0x0 Operation: Operation Type: Object Access Accesses: Control Access Access Mask: 0x100 Properties: Control Access Replicating Directory Changes configuration Additional Information: Parameter 1: - Parameter 2:
The out of the box config for the Windows TA contains this blacklist entry:
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
I'm just trying to also include dnsNode with groupPolicyContainer to index those two types of events but ignore everything else.
I thought it would just be an OR as I listed above but that config does not work.
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!(groupPolicyContainer)|(dnsNode))"
This actually causes every 4662 event to be indexed, regardless of object type.
My first attempt was
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer|dnsNode)"
which causes all 4663 events to be indexed.
Removing the negation the regex appears to work to match on an event. I suspect there's something about the ?! I haven't figured out yet.