[graylog2] Re: Function of graylog2-collector

[Bernie Carolan]

In comparison to the nxlog to logstash model, is it possible to suppress 
events that are not required?
An example in nxlog would be:
Module im_msvistalog
Query    <QueryList>\
                   <Query Id="0">\
                     <Select Path="Security">*</Select>\
    <Suppress Path="Security">*[System[(EventID=4624 or EventID=4776 or 
EventID=4634 or EventID=4672 or EventID=4688)]]</Suppress>\
    <Select Path="System">*[System[(EventID=1074 or (EventID=6005 and 
EventID=6009) or EventID=6013)]]</Select>\
            <Select Path="Application">*</Select>\
                    </Query>\
        </QueryList>   


On Wednesday, February 17, 2016 at 5:37:21 AM UTC+11, Stephen Fox wrote:
>
> You'll need to edit your collector.conf
>
> Use powershell to list event log names: Get-EventLog -list
>
> Then, edit your collector.conf to add the logs you wish to monitor. You'll 
> have to specify each log separately. I haven't seen a way to monitor them 
> all. Perhaps someone else knows a way.
>
> For Example:
>
> inputs {
>   win-eventlog-application {
>     type = "windows-eventlog"
>     source-name = "Application"
>     poll-interval = "1s"
>   }
>   win-eventlog-system {
>     type = "windows-eventlog"
>     source-name = "System"
>     poll-interval = "1s"
>   }
>   win-eventlog-security {
>     type = "windows-eventlog"
>     source-name = "Security"
>     poll-interval = "1s"
>   }
>     win-eventlog-security {
>     type = "windows-eventlog"
>     source-name = "HardwareEvents"
>     poll-interval = "1s"
>   }
>     win-eventlog-security {
>     type = "windows-eventlog"
>     source-name = "Internet Explorer"
>     poll-interval = "1s"
>   }
>     win-eventlog-security {
>     type = "windows-eventlog"
>     source-name = "Key Management Service"
>     poll-interval = "1s"
>   }
> }
>
> Save your config then restart the collector. 
>
> To test, I used powershell to send some logs.
> New-EventLog -LogName "HardwareEvents" -Source "Test Source"
> Write-EventLog -LogName "HardwareEvents" -Source "Test Source" -EntryType 
> "Information" -Message "test message" -EventId 1
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/4f9b55fb-9598-415a-a434-37f6530d34e6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.