    Filtering on Windows Events

      I'm sure this is simple . . . but so far I have been unsuccessful in making it work.

      I am using Kiwi Syslog Server and Snare to collect syslog messages from Windows 2003 servers.  The collection and simple display is going well.  What I am having problems with is filtering on specific Windows events, like #529.  In the display of the log I see <TAB>529<TAB>.  Seems like I could just filter on "\t529\t" - but that does not work.

      SO . . . is anyone else doing this?  What am I missing?  I am still evaluating the product (I have the 30 day eval version) and really like the potential of the product - but to buy it and put it into production, this HAS to work.