hi @gcusello i have a similar issue and i am trying to Blacklist the eventCode 4662 on universal forwarder except when AccountName!=*$ Accessmask= 0x100 Sample Log LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4662 EventType=0 Type=Information ComputerName=xxxxxxxxxxxxxxxxxxxxxxxx TaskCategory=Directory Service Access OpCode=Info RecordNumber=1079080612 Keywords=Audit Success Message=An operation was performed on an object. Subject : Security ID: xx\Axxxxx Account Name: Axxxxx Account Domain: xxxx Logon ID: xxxxxxxx Object: Object Server: DS Object Type: computer Object Name: CN=YDxxxx,OU=xxxxx,OU=xxxx,OU=xxxxx,DC=xxxx,DC=xxxx,DC=xxx Handle ID: 0x0 Operation: Operation Type: Object Access Accesses: Control Access Access Mask: 0x100 Properties: Control Access Default Property Set ms-Mcs-AdmPwd computer Additional Information: Parameter 1: - Parameter 2: I tried multiple regex and didnt work in my inputs.conf 1) blacklist1 = EventCode="4662" Message="(Object Type:(?=\s*groupPolicyContainer)) [\s\S]*((Properties:(?=[\s\S]*Default Property Set(.*)\s*ms-Mcs-AdmPwd))(Access Mask:(?=[\s\S]*0x100)))" 2) blacklist1 = EventCode="4662" Message="(?ms)Account\sName:[\s\S]*\$*Access\sMask:[\s\S]+0x(0$|1$|2$|20$)"
... View more
