Graylog and Windows log level does not match


#1

Hi, I realise this may not be strictly a Graylog issue as I’m not sure where the level number is changing but it might be. I’m running nxlog on some Windows servers to send all logs to Graylog. I have some alerts and dashboards setup to highlight events with a level <3 (so errors and warnings). Nothing is showing up in the alerts or dashboards.

When I look at an error log details on the Windows server it has a level of 2. The same error is showing up in Graylog but it has a level of 3. I’m just wondering if anyone knows why the level number does not match?
Screen shot below of the same error.
Thanks for any help,

image
image


(Jochen) #2

Log levels in Windows and Graylog do not use the same model.

For example Windows Event Log Level 2 means “Error” (see https://msdn.microsoft.com/en-us/library/microsoft.windowsazure.diagnostics.loglevel.aspx) while Graylog Log Level 2 means critical (see https://en.wikipedia.org/wiki/Syslog#Severity_level).

Since you probably want to use the same meaning and scale of “level” in all of your log messages, Graylog already did the right thing™ and translated Windows Event Log Level 2 (Error) to Graylog/Syslog Log Level 3 (Error).


#3

Thanks jochen, so I will set my Graylog filters based on EventType or Severity to match the Windows logs.
Rgds


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.