<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Log Insight Agent - Collect Windows Events with Specific Text in VMware Aria Operations for Logs Discussions</title>
    <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Log-Insight-Agent-Collect-Windows-Events-with-Specific-Text/m-p/1829681#M1582</link>
    <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;I have been using the Agent Configuration to collect specific Windows EventIDs as in the example below which works fine.&amp;nbsp; In this example, the agent is collecting AppLocker events with ID of 8004.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;According to &lt;A href="https://docs.vmware.com/en/vRealize-Log-Insight/8.0/com.vmware.log-insight.agent.admin.doc/GUID-C4F0E19E-AC62-47F7-A5A0-32F189008CB5.html" title="https://docs.vmware.com/en/vRealize-Log-Insight/8.0/com.vmware.log-insight.agent.admin.doc/GUID-C4F0E19E-AC62-47F7-A5A0-32F189008CB5.html"&gt;Event Fields and Operators&lt;/A&gt; , you should be able to use "Text" in an expression, but have not been successful so far.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;But I am trying to filter further, by collecting events that contain specific text such as "powershell".&amp;nbsp; I have tried expressions such as the following ones in&amp;nbsp; Whitelist filter expression but no sucess:&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Text == \b(\w*powershell\w*)\b&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; (regex expression)&lt;/P&gt;&lt;P&gt;or&lt;/P&gt;&lt;P&gt;Text="powershell"&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Any ideas on what the proper syntax should be?&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Thank you&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Note: Obviously, I can filter after all events are collected, but wanted to see if I could avoid needlessly ingesting events that are of no value.&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper" image-alt="AgentConfiguration.jpg"&gt;&lt;img src="https://communities.vmware.com/t5/image/serverpage/image-id/20888iDB6AAA1E5ED50BDF/image-size/large?v=v2&amp;amp;px=999" role="button" title="AgentConfiguration.jpg" alt="AgentConfiguration.jpg" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
    <pubDate>Mon, 15 Jun 2020 22:38:02 GMT</pubDate>
    <dc:creator>VA323</dc:creator>
    <dc:date>2020-06-15T22:38:02Z</dc:date>
    <item>
      <title>Log Insight Agent - Collect Windows Events with Specific Text</title>
      <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Log-Insight-Agent-Collect-Windows-Events-with-Specific-Text/m-p/1829681#M1582</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;I have been using the Agent Configuration to collect specific Windows EventIDs as in the example below which works fine.&amp;nbsp; In this example, the agent is collecting AppLocker events with ID of 8004.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;According to &lt;A href="https://docs.vmware.com/en/vRealize-Log-Insight/8.0/com.vmware.log-insight.agent.admin.doc/GUID-C4F0E19E-AC62-47F7-A5A0-32F189008CB5.html" title="https://docs.vmware.com/en/vRealize-Log-Insight/8.0/com.vmware.log-insight.agent.admin.doc/GUID-C4F0E19E-AC62-47F7-A5A0-32F189008CB5.html"&gt;Event Fields and Operators&lt;/A&gt; , you should be able to use "Text" in an expression, but have not been successful so far.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;But I am trying to filter further, by collecting events that contain specific text such as "powershell".&amp;nbsp; I have tried expressions such as the following ones in&amp;nbsp; Whitelist filter expression but no sucess:&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Text == \b(\w*powershell\w*)\b&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; (regex expression)&lt;/P&gt;&lt;P&gt;or&lt;/P&gt;&lt;P&gt;Text="powershell"&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Any ideas on what the proper syntax should be?&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Thank you&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Note: Obviously, I can filter after all events are collected, but wanted to see if I could avoid needlessly ingesting events that are of no value.&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper" image-alt="AgentConfiguration.jpg"&gt;&lt;img src="https://communities.vmware.com/t5/image/serverpage/image-id/20888iDB6AAA1E5ED50BDF/image-size/large?v=v2&amp;amp;px=999" role="button" title="AgentConfiguration.jpg" alt="AgentConfiguration.jpg" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Mon, 15 Jun 2020 22:38:02 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Log-Insight-Agent-Collect-Windows-Events-with-Specific-Text/m-p/1829681#M1582</guid>
      <dc:creator>VA323</dc:creator>
      <dc:date>2020-06-15T22:38:02Z</dc:date>
    </item>
  </channel>
</rss>

