Hi,
we have graylog 2.2.3 and we have configured graylog sidecar with nxlog on clients.
We have a log of events with severitz INFO. We would like to filter input for windows eventslog in nxlog config.
I need to configure nxlog in sidecar collector on Graylog.
so, i think, i need to change configuration for module im_msvistalog.
How and where to configure this "Exec if ($Severity == ‘INFO’) drop(); " in graylog for input nxlog.
Configure NXLog Inputs?
Define NXLog Snippets?
in nxlog input module config
… but a more efficient way is to use the Query directive in the input module. See nxlog manual. You can check that the query is what you want by making first a custom view in the event viewer, and once you get it working, use that definition with the nxlog msvistalog query directive.
Hi,
thanks for your reply,
could you help me with this "Exec if ($Severity == ‘INFO’) drop(); "
How to specify in nxlog input module config, that we want to see all logs, but not severity INFO.
OR in query, how to specify, that we want to see all logs, but not severity INFO.
could you send me some example,
thanks very much
hi,
the nxlog manual contains a link to a Microsoft document that has as an example the exact query you want (where informational messages are suppressed)
https://msdn.microsoft.com/en-us/library/aa385231.aspx
*[System[(Level <= 3) and
TimeCreated[timediff(@SystemTime) <= 86400000]]]
*[System[(Level = 2)]]
*[System[(Level=1 or Level=2 or Level=3) and
TimeCreated[timediff(@SystemTime) <= 86400000]]]
i need but something this:
*[System[(Level=1 or Level=2 or Level=3)]]I would like to see all logs from all path, but only specified severity of logs
Hi all,
do you have query in collector sidecar for filtering input logs through nxlog?
I would like to filter severity INFO.
Could you help me?
thanks very much
Hi Lubos
You can put your filtering statement in verbatim config field.
The correct path is :
System \ Collectors \ Manage configuration \ (Click on your config) \ Nxlog \ Configure NXlog inputs \ Edit \ Add verbatim config.
Cheers.
Mehmet
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
