Input Filtering
ilgtech
This works but I'm trying to filter out a service account username that is for cron tasks and is making the logs super noisy on my syslog server:
Collecting event log
<Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security"></Select> <Select Path="SentinelOne/Operational"></Select> <Select Path="Application">*</Select> </Query> </QueryList> </QueryXML> Exec $Message =~ s/(\t|\R)/ /g; to_syslog_bsd(); </Input>
I tried Exec block filtering but any attempt to add xml code that filtered on the "Exec" line made all logs stop coming in. What would be the correct syntax for suppressing a username that's dedicated to cron tasks and is making the logs super noisy? Thanks all in advance. CB
