1
response
response
Would this be the correct placement to add the filter event ID string? Should anything esle be commented out?
#Windows Event Logging of Security,System and Application Logs
Module im_mseventlog
Exec to_syslog_snare();
Exec if $EventID NOT IN (528, 529, 567, 592, 601, 602, 608, 612, 636, 7034, 7035, 7036, 7040, 4097, 64004, 2, 3005) drop();
</Input>
Comments (1)
Note that EventID is unique per source, so you probably want to add a test such as this: