I am trying to reduce the size of the message sent from my Windows event logs to graylog and I cannot for the life of me figuring out how tell it to drop certain fields

The only thing I can figure out is that i'm supposed to use delete() but how to use and where to place it in my config is very frustrating.

AskedJune 26, 2020 - 8:10pm

Answer (1)

I think I may have figured it out.

In my <Input eventlog> I added

Exec delete($SubjectLogonId);
Exec delete($KeyLength);
Exec delete($Keywords);
Exec delete($SubjectUserSid);
Exec delete($ThreadID);
Exec delete($TransmittedServices);
Exec delete($Version);
Exec delete($LogonGuid);
Exec delete($LmPackageName);
Exec delete($ImpersonationLevel);
Exec delete($RecordNumber);
Exec delete($SourceModuleType);
Exec delete($AuthenticationPackageName);
Exec delete($OpcodeValue);
Exec delete($ProcessID);
Exec delete($ProcessName);
Exec delete($ProviderGuid);
Exec delete($TargetLogonId);