Proper Syntax for filtering forwarded events?

So this is a two-fer, filtering and processing with the security module

What is the proper syntax for this?

The article has this, so that the script applies to the security entries - but in my case they're "ForwardedEvents" and applying it to that category doesn't seem to do anything.

Same for filtering by event ID - how do I manage that? Normally you can do it by name (Security, Application, System) and then ID - how can I filter by name/ID while inside ForwardedEvents?

Or do I just have to filter by event ID and then 'drop' by name when it hits logstash? I was hoping to do this all from the winlogbeat config side but wherever works, I guess!


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.