3
responses
responses
Answer (1)
raf
Hello,
I'm not sure if I understand you correctly - what do you mean by " every event from creating its own log file"? Did you mean limit/filtering events to be stored?
If the filesize is your issue, you may want to check the filecycle directive.
In case I misunderstood you - please, provide your conf file & bring us more details on your case.
Best regards,
Rafal
Comments (2)
A copy of the conf is included, without the entire list of EventID's and host. I think I set a pretty basic query with the event ID's I need. Every event is producing it's own log file which leads to 200k+ log files per day. I would like to see if we could output all the events in to 1 large file per date. We would rather have a large file daily than many small ones daily.
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='Security'>*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and (EventID=4624 or EventID=4634)]]</Select>
</Query>
</QueryList>
</QueryXML></Input>
<Output out>
Module om_tcp
Host (redacted)
Port 514
Exec to_syslog_snare();
<Route 1>
Path in => out
</Route>
Thanks for the file.
I'm not sure what do you mean by "files", since you're clearly using TCP to send the data "somewhere" - is there anything else missing beside enclosing the
<Output>section?From what I see now, it looks like you're sending Windows logs to some server, listening over TCP. Correct me if I'm wrong - I assume you'd like to make it in batches - that's possible with NXLog Enterprise Edtion. You can find some useful hints here: 32. Reducing Bandwidth and Data Size.
Best regards,
Rafal