I'm trying to edit inputs.conf in my forwarder to show ONLY Event 4624, with only Logon Type 2 or 11. I've seen many examples online of similar things, but nothing has worked for me so far. I understand I need to parse the Logon Type out of the Message field.
What would I have to add to this:
whitelist1 = EventCode="4624" Message="what's here?"
... View more