Hi jwindley,
this is what I have in my avecto app:
props.conf
[source::WinEventLog:Application]
REPORT-MESSAGE = avec-wel-message, avec-wel-eq-kv, avec-wel-col-kv
KV_MODE=none
Note the below settings are effectively legacy, in place here to handle
data coming from much much older forwarders (3.x & 4.x)
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD=30
LINE_BREAKER = (\r\n)
TRANSFORMS-FIELDS = strip-winevt-linebreaker
transforms.conf
[avec-wel-message]
REGEX = (?sm)^(?<_pre_msg>.+)\nMessage=(?.+)$
CLEAN_KEYS = false
[avec-wel-eq-kv]
SOURCE_KEY = _pre_msg
DELIMS = "\n","="
MV_ADD = true
[avec-wel-col-kv]
SOURCE_KEY = Message
REGEX = \n? \t:[ \t]++([^\r]*)
FORMAT = $1::$2
MV_ADD = true
... View more