Hi, All I can tell you is that most likely you have an error somewhere in your regexp/filter. For example neither im_mseventlog nor im_msvistalog generates an 'ERR' value for Severity, it is 'ERROR'
These are exactly the type of simple filters which are used by most users in addition to being verified by our automated tests. I'd recommend using om_file with to_json() or log_info(to_json) to debug your data. Nobody will be able to help you without seeing the latter. Regards, Botond On Wed, 18 Sep 2013 12:00:57 +0200 Aurélien BOUVARD <[email protected]> wrote: > Hi , > I would like to understand something about a filter. > I have some windows logs who this kind of systag > > Microsoft-Windows-Security-Auditing[518] > I want to filter this kind of systag when they have "error" severety , and > after , drop them > si i 've done this kind things > > <Input indeux>Module im_msvistalogReadFromLast TrueExec if $SourceName =~ > /Microsoft-Windows-Security-Auditing/ and $Severity != 'ERR' \{\ drop();\} > but it does not work... > > i 'm thank the symbol / mytext / means " contain mytext" > So i tried to use the symbol ^ to tell "what start with..." and do only one > condition > <Input indeux>Module im_msvistalogReadFromLast TrueExec if $SourceName =~ > /^Microsoft-Windows-Security-Auditing/\{\ drop();\}</Input> > but also it does not work... > > Do you have any idea where i made some mistakes? > > Regards, > > ------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk _______________________________________________ nxlog-ce-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
