Filter Event Viewer Logs By Source Name
Greetings,
I'm trying to filter event viewer logs by the source name using the following configuration:
<Input EventLog>
    Module      im_msvistalog
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path='System'>*[System[(SourceName="Service Control Manager")]]</Select>\
                    </Query>\
                </QueryList>
</Input>
However it's not working. When I try and filter by Event ID that works no problem. Any assistance would be much appreciated.
Greetings,
I'm trying to filter event viewer logs by the source name using the following configuration:
<Input EventLog>
    Module      im_msvistalog
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path='System'>*[System[(SourceName="Service Control Manager")]]</Select>\
                    </Query>\
                </QueryList>
</Input>
However it's not working. When I try and filter by Event ID that works no problem. Any assistance would be much appreciated.
SourceName is an NXLog field name and I don't think it can be used in the XPath query. Provider refers to that, so the following should do what you want (untested though):
<Select Path="System">*[System[Provider[@Name='Service Control Manager']]]
Note that you should be able to test the XML queries in Event Viewer. If it works there, you can just copy paste that to nxlog.conf (while making sure to add backslashes as needed).
Alternatively you can use NXLog's language to filter the data:
Exec if $SourceName != 'Service Control Manager' drop();
