Exec if $EventID NOT IN - Question on placement in config.
Tags:
#1
dmm3369
Would this be the correct placement to add the filter event ID string? Should anything esle be commented out?
#Windows Event Logging of Security,System and Application Logs
Module im_mseventlog
Exec to_syslog_snare();
Exec if $EventID NOT IN (528, 529, 567, 592, 601, 602, 608, 612, 636, 7034, 7035, 7036, 7040, 4097, 64004, 2, 3005) drop();
</Input>
#1
dmm3369
Would this be the correct placement to add the filter event ID string? Should anything esle be commented out?
#Windows Event Logging of Security,System and Application Logs
Module im_mseventlog
Exec to_syslog_snare();
Exec if $EventID NOT IN (528, 529, 567, 592, 601, 602, 608, 612, 636, 7034, 7035, 7036, 7040, 4097, 64004, 2, 3005) drop();
</Input>
Note that EventID is unique per source, so you probably want to add a test such as this:
Exec if $FileName == 'Security' and $EventID NOT IN (528, ...
