I'm running a Splunk 4.2.5 server on CentOS. On a Win2k3 server I've installed Universal SplunkForwarder 4.3, collecting Application, Security, and System events. I don't want to see Security "Success Audit" events, since there are about anywhere from 1000-3500 per minute. (And I need to have the Audit Success flags turned on the server since we need to be CIS server compliant.)
On the server, I have defined props.conf [WinEventLog:Security] TRANSFORMS-set=dropevents transforms.conf [dropevents] REGEX = (?msi)^EventCode=(560|562|567).*^(Type=Audit Success) DEST_KEY = queue FORMAT = nullQueue I've tried various forms of the REGEX, including just the EventCodes, one EventCode, etc. Nothing seems to work; no events are dropped. I read that this was a known issue before 4.2.1, but it is not listed in the 4.3 known issues. Can anyone enlighten me as to what I may be doing wrong?