[WinEventLog://ForwardedEvents]

disabled = 0

checkpointInterval = 5

current_only = 0

start_from = oldest

index = wineventlog
# Filtering can be done with regex on the following field names :  Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName, TaskCategory, Type, User

whitelist = EventCode=%^(400|1102|4610|4624|4625|4656|4662|4663|4697|4698|4723|4724|4728|4738|4756|4759|4765|4768|4769|4771|4776|4794|1|2|3|7|11|13|22)$%

blacklist01 = User=%^.*\$$%

blacklist02 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"

renderXml = true

suppress_text = true

suppress_sourcename= true

suppress_keywords= true

suppress_task = true

suppress_opcode = true