Hi,

I'm using the Syslog server to gather all my Windows events. Right now, I'm trying to use a Splunk Heavy forwarder to filter off Event ID 5156 and 4768.

I have configured both my props.conf and transforms.conf.
Below are the settings:

props.conf

[source::D:\Program Files (x86)\Syslogd\Logs]
TRANSFORM-null= setnull

transforms.conf

[setnull]
REGEX= (\d+.){6}\d+\s(5156|4768)
DEST_KEY = queue
FORMAT = nullQueue

One of the sample messages from the Windows Events is below

2015-12-09 12:52:12 Kernel.Notice   192.168.1.12    Dec 09 12:52:12 DSFDCUAT01.buk.edu.my MSWinEventLog 5   Security    14032221    Wed Dec 09 12:48:50 2015    5156    Microsoft-Windows-Security-Auditing     N/A Audit Success   DSFDCUAT01.buk.edu.my   12810   The description for Event ID 5156 from source Microsoft-Windows-Security-Auditing cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 4. FormatMessage failed with error 1815, The specified resource language ID cannot be found in the image file.

I'm trying to filter the Event ID which is located in Wed Dec 09 12:48:50 2015 5156 within the message.

Pls advise if my Regex is correct.

Thank you.