...\splunk\etc\system\local
## props.conf
[WMI:WinEventLog:Security]
TRANSFORMS-evtlog = wmi-null,wmi-filter,wmi-filter28user,wmi-filter28SecGrp,wmi-filter28DlGrp
## transforms.conf
[wmi-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[wmi-filter]
REGEX=(?msi)^(CategoryString=Account Management)
DEST_KEY = queue
FORMAT = indexQueue
[wmi-filter28user]
REGEX=(?msi)^(CategoryString=User Account Management)
DEST_KEY = queue
FORMAT = indexQueue
[wmi-filter28SecGrp]
REGEX=(?msi)^(CategoryString=Security Group Management)
DEST_KEY = queue
FORMAT = indexQueue
[wmi-filter28DlGrp]
REGEX=(?msi)^(CategoryString=Distribution Group Management)
DEST_KEY = queue
FORMAT = indexQueue
No comments:
Post a Comment