#1 ilgtech 3 years ago

This works but I'm trying to filter out a service account username that is for cron tasks and is making the logs super noisy on my syslog server:

Collecting event log

<Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security"></Select> <Select Path="SentinelOne/Operational"></Select> <Select Path="Application">*</Select> </Query> </QueryList> </QueryXML> Exec $Message =~ s/(\t|\R)/ /g; to_syslog_bsd(); </Input>

I tried Exec block filtering but any attempt to add xml code that filtered on the "Exec" line made all logs stop coming in. What would be the correct syntax for suppressing a username that's dedicated to cron tasks and is making the logs super noisy? Thanks all in advance. CB

Permalink

#2 Zhengshi Nxlog ✓ 3 years ago

#1 ilgtech

This works but I'm trying to filter out a service account username that is for cron tasks and is making the logs super noisy on my syslog server:

Collecting event log

To filter events, you can use the example listed in [the manual](https://nxlog.co/documentation/nxlog-user-guide/im_msvistalog.html) regarding im_msvistalog. The example uses an exact match, but you could also use regex. ``` Module im_msvistalog Exec if ($TargetUserName == 'SYSTEM') OR \ ($EventType == 'VERBOSE') drop(); ``` You could also provide a list using the `IN` format `if $TargetUserName IN ("Name1","Name2")` ____ Alternatively, you could use XPath filtering as suggested [here](https://nxlog.co/documentation/nxlog-user-guide/eventlog-filtering.html) This should get you where you need to be.

Input Filtering

Collecting event log

Collecting event log