Delete event logs from source server?


(Nathan Hicks) #1

Is it possible to delete the Windows event logs from a source server after they have been forwarded to Graylog? I have one old server who’s security logs are filling up and preventing people from logging into the machine.


(Jochen) #2

You can drop these messages using a processing pipeline rule and the drop_message() function.


(Nathan Hicks) #3

Thanks for the reply. So just to make sure I’m understanding - If I have a super old W2k3 server sending Windows Security event logs to Graylog, this will delete those security events from the W2k3 server, or just drop them from Graylog?


(Jochen) #4

It will just drop these messages from the processing pipeline in Graylog, so that they’re not indexed.

If you want to delete the entries of the Windows EventLog, you should probably read https://technet.microsoft.com/en-us/library/cc722318(v=ws.11).aspx.


(Nathan Hicks) #5

Thanks again. Looks like I’ll adjust the retention setting on the Windows server then - that will be easiest. Thanks for the help!