I will enclose in curly braces the message that I want to extract
2012-11-30T02:41:46+08:00 CX-CDOWKSMIS003.ph.gbsorg.net MSWinEventLog 0
{Security} 491 Fri Nov 30 02:41:44 2012 4689
Microsoft-Windows-Security-Auditing PH\CX-CDOWKSMIS003$ N/A
Success Audit CX-CDOWKSMIS003.ph.gbsorg.net Process Termination
A process has exited. Subject: Security ID: S-1-5-18 Account Name:
CX-CDOWKSMIS003$ Account Domain: PH Logon ID: 0x3e7 Process
Information: Process ID: 0x1d50 Process Name:
C:\Windows\System32\SearchFilterHost.exe Exit Status: 0x0 265
I think I understand the log format a little better. I thought that when you
put %msg:F:3% It will extract the
Security message that I want but it will have this message
Microsoft-Windows-Security-Auditing. So the Tab splitting starts with this
field Fri Nov 30 02:41:44 2012 (when I use %msg:F:1%).
--
View this message in context:
http://rsyslog-rsyslog-users.1305293.n2.nabble.com/Please-help-with-Snare-Format-tp7579234p7579238.html
Sent from the rsyslog -- rsyslog-users mailing list archive at Nabble.com.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
