im_msvistalog filters
#1
LP_577584
Hello,
I'm trying to query some EventID with a specific SeverityValue in "im_msvistalog", the config is something like this:
<Input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='System'>*[System[(EventID=6005 or EventID=6008 or EventID=7036)]</Select>
</Query>
</QueryList>
</QueryXML>
Exec if $SeverityValue NOT IN (2, 4) drop();
Exec $Message =~ s/(\t|\R)/ /g;
I'm trying for a test to output on file, but nothing is outputted.
Anyone has some hint?
Thanks
#1
LP_577584
Hello,
I'm trying to query some EventID with a specific SeverityValue in "im_msvistalog", the config is something like this:
<Input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='System'>*[System[(EventID=6005 or EventID=6008 or EventID=7036)]</Select>
</Query>
</QueryList>
</QueryXML>
Exec if $SeverityValue NOT IN (2, 4) drop();
Exec $Message =~ s/(\t|\R)/ /g;
I'm trying for a test to output on file, but nothing is outputted.
Anyone has some hint?
Thanks
Hi,
Could you provide your full conf file?
Regards,
Rafal
