Hello everybody,
I'm new in this field and I have one question.
We have too many windows security logs indexed that are generated by machine accounts.
I want to filter out logs that looks like this:
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4658
EventType=0
Type=Information
ComputerName=comp1.domain.com
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=4463688
Keywords=Audit Success
Message=The handle to an object was closed.
Subject :
Security ID: DOMAIN1\SERVER01$
Account Name: SERVER01$
Account Domain: DOMAIN1
Logon ID: 0x347732
I need to filter out logs that have "Account Name: SERVER01$".
What is the best way to do this?
I know about props.conf and transforms.conf, but I don't know how to generate right regex for that.
Please help!
... View more