Hi, we've implemented the SEDCMD setting on the indexers to erase from windows logs the part "This is event is generated...." in this way: [WinEventLog] SEDCMD-gen=s/(?s)This event is generated .+$// Now this is working for more than 700 hosts. Anyway for only 8 hosts that verbose part is still there (there is no difference from the others: the universal forwarder is sending logs to the same indexers with no intermediate heavy forwarder or stuff like that). I can't really figure out why this is happening. Any idea?
... View more