Sedecar and nxlog - filtering windows events - severitz

lubos · 2017-06-01 13:23:41 UTC

Hi,
we have graylog 2.2.3 and we have configured graylog sidecar with nxlog on clients.
We have a log of events with severitz INFO. We would like to filter input for windows eventslog in nxlog config.
I need to configure nxlog in sidecar collector on Graylog.

so, i think, i need to change configuration for module im_msvistalog.
How and where to configure this "Exec if ($Severity == ‘INFO’) drop(); " in graylog for input nxlog.

Configure NXLog Inputs?
Define NXLog Snippets?

jtkarvo · 2017-06-01 16:37:17 UTC

in nxlog input module config

jtkarvo · 2017-06-01 16:47:07 UTC

… but a more efficient way is to use the Query directive in the input module. See nxlog manual. You can check that the query is what you want by making first a custom view in the event viewer, and once you get it working, use that definition with the nxlog msvistalog query directive.

lubos · 2017-06-02 10:38:00 UTC

Hi,
thanks for your reply,
could you help me with this "Exec if ($Severity == ‘INFO’) drop(); "
How to specify in nxlog input module config, that we want to see all logs, but not severity INFO.

OR in query, how to specify, that we want to see all logs, but not severity INFO.

could you send me some example,
thanks very much

jtkarvo · 2017-06-02 11:09:51 UTC

hi,

the nxlog manual contains a link to a Microsoft document that has as an example the exact query you want (where informational messages are suppressed)

lubos · 2017-06-02 11:50:20 UTC

# Use 'im_mseventlog' for Windows XP, 2000 and 2003 Module im_msvistalog # Uncomment the following to collect specific event logs only # Query \ # \ # *\ # *\ # *\ # \ #

https://msdn.microsoft.com/en-us/library/aa385231.aspx

*[System[(Level <= 3) and
TimeCreated[timediff(@SystemTime) <= 86400000]]]

*[System[(Level = 2)]]

*[System[(Level=1 or Level=2 or Level=3) and
TimeCreated[timediff(@SystemTime) <= 86400000]]]

i need but something this:

*[System[(Level=1 or Level=2 or Level=3)]]

I would like to see all logs from all path, but only specified severity of logs

lubos · 2017-06-02 11:51:59 UTC

lubos · 2017-06-11 15:33:53 UTC

Hi all,
do you have query in collector sidecar for filtering input logs through nxlog?
I would like to filter severity INFO.
Could you help me?
thanks very much

Mbuyukkarakas · 2017-06-12 06:52:53 UTC

Hi Lubos

You can put your filtering statement in verbatim config field.

The correct path is :

System \ Collectors \ Manage configuration \ (Click on your config) \ Nxlog \ Configure NXlog inputs \ Edit \ Add verbatim config.

Cheers.

Mehmet

system · 2017-06-26 06:52:56 UTC

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.