Deleting fields from message
I am trying to reduce the size of the message sent from my Windows event logs to graylog and I cannot for the life of me figuring out how tell it to drop certain fields
The only thing I can figure out is that i'm supposed to use delete() but how to use and where to place it in my config is very frustrating.
I think I may have figured it out.
In my <Input eventlog> I added
Exec delete($SubjectLogonId); Exec delete($KeyLength); Exec delete($Keywords); Exec delete($SubjectUserSid); Exec delete($ThreadID); Exec delete($TransmittedServices); Exec delete($Version); Exec delete($LogonGuid); Exec delete($LmPackageName); Exec delete($ImpersonationLevel); Exec delete($RecordNumber); Exec delete($SourceModuleType); Exec delete($AuthenticationPackageName); Exec delete($OpcodeValue); Exec delete($ProcessID); Exec delete($ProcessName); Exec delete($ProviderGuid); Exec delete($TargetLogonId);
