Re: [nxlog-ce-users] Problem filtering Windows Event Log

Thu, 18 Jul 2013 01:45:10 -0700 

Hi,

On Wed, 17 Jul 2013 16:49:50 -0300
Geraldo Magella Junior <geraldomagellajun...@gmail.com> wrote:

> I'm throwing the towel...I'm using NXLOG do forward events to Logstash
> centralized interface that would then write to Elastic Search so I can
> check'em out in Kibana.
I've yet to understand why is everyone using logstash for that as it is
only a proxy and can (?) be omitted altogether.

> Everything is working fine but I'm trying to filter some log entries that I
> don't want to see in ES/Kibana/etc.
> What I want to do is:
> * Exclude DFS Replication log messages.
> * Exclude logs messages that had DEBUG in the message field.
You have more options. In addition to using pm_pattern it might be worth
doing the filtering directly with the Exec directive, i.e. :
 <Input eventlog>
     Module      im_msvistalog
     Exec if ($EventID == 42) or ($EventID == 142) ... drop(); \
          else if $Message =~ /DEBUG/ drop(); 
 </Input>

Another option is to use Query XML/xpath filtering , see the Query
directive of the im_msvistalog module.

> Can anyone help me?
> Any help would be appreciated.
You forgot to include in your mail what the exact problem is that you are
having. 

> And Patterndb.xml looks like:
> 
> <patterndb>
>     <group>
>         <name>eventlog</name>
>         <id>1</id>
>         <pattern>
>             <id>1</id>
>             <name>dfs events</name>
>             <matchfield>
>                 <name>FileName</name>
>                 <type>string</type>
The type tag here defines the matching operation, so it is either REGEXP
or EXACT. You need the latter in this case.

>                 <value>DFS Replication</value>
>             </matchfield>
>             <matchfield>
>                 <name>SourceName</name>
>                 <type>string</type>
Same as above.

>                 <value>DFSR</value>
>             </matchfield>
>             <matchfield>
>                 <name>EventID</name>
>                 <type>rege</type>
Typo

>                 <value>(4202|4208|4302|4304|5004)</value>
>             </matchfield>
>             <exec>
>                 drop();
>             </exec>
>         </pattern>
>         <pattern>
>             <id>2</id>
>             <name>Monitor</name>
>             <matchfield>
>                 <name>Message</name>
>                 <type>string</type>
regexp?

>                 <value>DEBUG</value>
>             </matchfield>
>             <exec>
>                 drop();
>             </exec>
>         </pattern>
>     </group>
> </patterndb>

Regards,
Botond



------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users

Reply via email to