Source Processing Rules



  • Avatar
    Eric Davis

    I tried using EventCode = 4768 to match and it winds up filtering everything.

  • Avatar
    David Wynn


    I would recommend making an include filter with the EventCode in it. The documentation for doing so is here:

    The only tricky part here is that windows messages are multiline, so you'll want to include your inline regex modifiers like so:

    (?s).*EventCode = 4768.*(?s)
  • Avatar
    Chad Furman

    I know this is an old thread.  However, it is also worth noting that multi-line messages can be seperated into individual lines by unchecking `Detect messages spanning multiple lines` under the collector settings

Please sign in to leave a comment.