Filter out Splunk and osqueryd events

Vagrant/resources/splunk_forwarder/wef_inputs.conf

@@ -59,6 +59,8 @@ disabled = 0
 start_from = oldest
 current_only = 0
 checkpointInterval = 5
+blacklist = Message="(?:Process Name:).+(?:C:\\Program Files\\osquery\\osqueryd\\osqueryd.exe)"
+blacklist1 = Message="(?:Process Name:).+(?:C:\\Program Files\\SplunkUniversalForwarder\\bin\\)"
 
 [WinEventLog://WEC-Code-Integrity]
 sourcetype = WinEventLog:Security
@@ -87,6 +89,16 @@ start_from = oldest
 current_only = 0
 checkpointInterval = 5
 
+[WinEventLog://WEC2-Object-Manipulation]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Object-Handle
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+blacklist = Message="(?:Process Name:).+(?:osqueryd.exe)"
+
 [WinEventLog://WEC2-Task-Scheduler]
 sourcetype = WinEventLog:Task-Scheduler
 source = WinEventLog:Task-Scheduler
@@ -140,7 +152,6 @@ disabled = 0
 start_from = oldest
 current_only = 0
 checkpointInterval = 5
-blacklist1 = EventCode="4798" Message=".+Process Name:.+\\osqueryd\\osqueryd.exe"
 
 [WinEventLog://WEC3-Windows-Diagnostics]
 sourcetype = WinEventLog:System
@@ -412,15 +423,6 @@ start_from = oldest
 current_only = 0
 checkpointInterval = 5
 
-[WinEventLog://WEC2-Object-Manipulation]
-sourcetype = WinEventLog:Security
-source = WinEventLog:Object-Handle
-index=wineventlog
-disabled = 0
-start_from = oldest
-current_only = 0
-checkpointInterval = 5
-
 [monitor://c:\pslogs]
 index = powershell
 sourcetype = powershell_transcript