Sedecar and nxlog - filtering windows events - severitz

lubos · June 1, 2017, 1:23pm

Hi,
we have graylog 2.2.3 and we have configured graylog sidecar with nxlog on clients.
We have a log of events with severitz INFO. We would like to filter input for windows eventslog in nxlog config.
I need to configure nxlog in sidecar collector on Graylog.

so, i think, i need to change configuration for module im_msvistalog.
How and where to configure this "Exec if ($Severity == ‘INFO’) drop(); " in graylog for input nxlog.

Configure NXLog Inputs?
Define NXLog Snippets?

jtkarvo · June 1, 2017, 4:37pm

in nxlog input module config

jtkarvo · June 1, 2017, 4:47pm

… but a more efficient way is to use the Query directive in the input module. See nxlog manual. You can check that the query is what you want by making first a custom view in the event viewer, and once you get it working, use that definition with the nxlog msvistalog query directive.

lubos · June 2, 2017, 10:38am

Hi,
thanks for your reply,
could you help me with this "Exec if ($Severity == ‘INFO’) drop(); "
How to specify in nxlog input module config, that we want to see all logs, but not severity INFO.

OR in query, how to specify, that we want to see all logs, but not severity INFO.

could you send me some example,
thanks very much

jtkarvo · June 2, 2017, 11:09am

hi,

the nxlog manual contains a link to a Microsoft document that has as an example the exact query you want (where informational messages are suppressed)

lubos · June 2, 2017, 11:50am

# Use 'im_mseventlog' for Windows XP, 2000 and 2003 Module im_msvistalog # Uncomment the following to collect specific event logs only # Query \ # \ # *\ # *\ # *\ # \ #

https://msdn.microsoft.com/en-us/library/aa385231.aspx

*[System[(Level <= 3) and
TimeCreated[timediff(@SystemTime) <= 86400000]]]

*[System[(Level = 2)]]

*[System[(Level=1 or Level=2 or Level=3) and
TimeCreated[timediff(@SystemTime) <= 86400000]]]

i need but something this:

*[System[(Level=1 or Level=2 or Level=3)]]

I would like to see all logs from all path, but only specified severity of logs

lubos · June 2, 2017, 11:51am

lubos · June 11, 2017, 3:33pm

Hi all,
do you have query in collector sidecar for filtering input logs through nxlog?
I would like to filter severity INFO.
Could you help me?
thanks very much

Mbuyukkarakas · June 12, 2017, 6:52am

Hi Lubos

You can put your filtering statement in verbatim config field.

The correct path is :

System \ Collectors \ Manage configuration \ (Click on your config) \ Nxlog \ Configure NXlog inputs \ Edit \ Add verbatim config.

Cheers.

Mehmet

system · June 26, 2017, 6:52am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.