Use the Windows event fields and operators to build filter expressions.
Filter Expression Operators
| Operator | Description |
|---|---|
| ==, != | equal and not equal. Use with both numeric and string fields. |
| >=, >, <, <= | greater or equal, greater than, less than, less than or equal. Use with numeric fields only. |
| &, |, ^, ~ | Bitwise AND, OR, XOR and complement operators. Use with numeric fields only. |
| and, or | Logical AND and OR. Use to build complex expressions by combining simple expressions. |
| not | Unary logical NOT operator. Use to reverse the value of an expression. |
| () | Use parentheses in a logical expression to change the order of evaluation. |
Windows Event Fields
You can use the following Windows event fields in a filter expression.
| Field name | Field type |
|---|---|
| Hostname | string |
| Text | string |
| ProviderName | string |
| EventSourceName | string |
| EventID | numeric |
| EventRecordID | numeric |
| Channel | string |
| UserID | string |
| Level | numeric
You can use the following predefined constants
|
| Task | numeric |
| OpCode | numeric |
| Keywords | numeric
You can use the following predefined bit masks
|
Examples
Collect all critical, error and warning events
[winlog|app] channel = Application whitelist = level > WINLOG_LEVEL_SUCCESS and level < WINLOG_LEVEL_INFO
Collect only Audit Failure events from Security channel
[winlog|security] channel = Security whitelist = Keywords & WINLOG_KEYWORD_AUDITFAILURE