Exec if $EventID NOT IN - Question on placement in config.
dmm3369
Would this be the correct placement to add the filter event ID string? Should anything esle be commented out?
#Windows Event Logging of Security,System and Application Logs
Module im_mseventlog
Exec to_syslog_snare();
Exec if $EventID NOT IN (528, 529, 567, 592, 601, 602, 608, 612, 636, 7034, 7035, 7036, 7040, 4097, 64004, 2, 3005) drop();
</Input>
