Source Processing Rules

Comments

3 comments

  • Avatar
    Eric Davis

    I tried using EventCode = 4768 to match and it winds up filtering everything.

  • Avatar
    David Wynn

    Eric,

    I would recommend making an include filter with the EventCode in it. The documentation for doing so is here:

    https://service.sumologic.com/help/#Include_and_exclude_filters.htm

    The only tricky part here is that windows messages are multiline, so you'll want to include your inline regex modifiers like so:

    (?s).*EventCode = 4768.*(?s)
    
  • Avatar
    Chad Furman

    I know this is an old thread.  However, it is also worth noting that multi-line messages can be seperated into individual lines by unchecking `Detect messages spanning multiple lines` under the collector settings

Please sign in to leave a comment.