We are looking for a way to only send certain windows application log types to Loggly, could use some help in getting this setup.

Sample (sanitzed) windows application log:

Log Name:      Application
Source:        PlatformService
Date:          4/15/2015 5:59:58 PM
Event ID:      0
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:     XXXXXX.domain.com
AccountId: 6239745
Email: f3a61cd60de521d6d2c4598713b6e0600aae4e17
Client: PlatformService
EventType: Stats
LoginMethod: Setup

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <Provider Name="PlatformService" />
    <EventID Qualifiers="0">0</EventID>
    <TimeCreated SystemTime="2015-04-15T17:59:58.000000000Z" />
    <Security />
    <Data>AccountId: 123456
Email: 123456
Client: Harmony Platform Service
EventType: Stats
LoginMethod: Setup

We want to be able to search in Loggly using source:

source = "PlatformService"

AskedApril 15, 2015 - 8:16pm

Answer (1)

The im_msvistalog has a Query directive, you can copy the XML filter from Event Viewer there.

Comments (2)

  • fg's picture

    Hi Adm,

    Thanks for pointing that out. I am totally new to this but would the query look something like this?

    Query <QueryList> \

               <Query Id="1">\

                  <Select Path="Application">*[Source[(Source=PlatformService')]]</Select>\