Input Filtering
This works but I'm trying to filter out a service account username that is for cron tasks and is making the logs super noisy on my syslog server:
Collecting event log
<Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security"></Select> <Select Path="SentinelOne/Operational"></Select> <Select Path="Application">*</Select> </Query> </QueryList> </QueryXML> Exec $Message =~ s/(\t|\R)/ /g; to_syslog_bsd(); </Input>
I tried Exec block filtering but any attempt to add xml code that filtered on the "Exec" line made all logs stop coming in. What would be the correct syntax for suppressing a username that's dedicated to cron tasks and is making the logs super noisy? Thanks all in advance. CB
To filter events, you can use the example listed in the manual regarding im_msvistalog.
The example uses an exact match, but you could also use regex.
<Input in>
Module im_msvistalog
Exec if ($TargetUserName == 'SYSTEM') OR \
($EventType == 'VERBOSE') drop();
</Input>
You could also provide a list using the IN format
if $TargetUserName IN ("Name1","Name2")
Alternatively, you could use XPath filtering as suggested here
This should get you where you need to be.
