im_msvistalog multiple filters
Hello, I have to filter multiple log (such as System, Application) and also filter it by levels. I'm trying to wrote a config but don't output anything.
<Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path="System">[System[(EventID=11150 or EventID=11151 or EventID=11152 or EventID=11153 or EventID=11154 or EventID=11155 or EventID=11162 or EventID=11163 or EventID=11164 or EventID=11165 or EventID=11166 or EventID=11167 or EventID=5773 or EventID=5774)]]</Select> <Select Path='System'>[System/Level=2]</Select> <Select Path="System">[System[(Level=2 or Level=4)][(EventID=6005 or EventID=6008)]]</Select> <Select Path="System">[System/Level=4[(EventID=6005 or EventID=6008)]]</Select>s <Select Path="System">[System/Level=3[(EventID=1031 or EventID=1053 or EventID=5053 or EventID=1129 or EventID=1131 or EventID=1135 or EventID=1206 or EventID=1211 or EventID=1216 or EventID=1553 or EventID=5553 or EventID=2057 or EventID=47 or EventID=16947 or EventID=16949 or EventID=4034 or EventID=9015 or EventID=9026)]]</Select> <Select Path="Application">[System/Level=2]</Select> <Select Path="Application">*[System/Level=3[(EventID=514)]]</Select> </QueryList> </QueryXML>
I don't know if is the right way, it's my first time with nxlog.
Thanks a lot!
Hello,
I'd suggest going toward a cleaner way:
First, gather your IDs in something like;
define wantedIds 11150, 11151, 11152, 11153, 11162, 9026
And next, your config can be simplified to something like this:
<Input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path="System">*[System]</Select>
<Select Path="System">*[System/Level=2 or Level=3 or Level = 4]</Select>
<Select Path="Application">*[System/Level=2 or Level=3]</Select>
Exec if $EventID NOT IN (%wantedIds%) drop();
</QueryList>
</QueryXML>
Let me know if that works for you. If not - please, let me know, bringing the rest of your config and logs.
Regards,
Rafal
