1
answer

Hi,

We are looking for a way to only send certain windows application log types to Loggly, could use some help in getting this setup.

Sample (sanitzed) windows application log:

Log Name:      Application
Source:        PlatformService
Date:          4/15/2015 5:59:58 PM
Event ID:      0
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:     XXXXXX.domain.com
Description:
AccountId: 6239745
Email: f3a61cd60de521d6d2c4598713b6e0600aae4e17
Client: PlatformService
EventType: Stats
LoginMethod: Setup

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="PlatformService" />
    <EventID Qualifiers="0">0</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-04-15T17:59:58.000000000Z" />
    <EventRecordID>XXXXXX</EventRecordID>
    <Channel>Application</Channel>
    <Computer>XXXXXX.domain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>AccountId: 123456
Email: 123456
Client: Harmony Platform Service
EventType: Stats
LoginMethod: Setup
</Data>
  </EventData>
</Event>

We want to be able to search in Loggly using source:

source = "PlatformService"

AskedApril 15, 2015 - 8:16pm

Answer (1)

The im_msvistalog has a Query directive, you can copy the XML filter from Event Viewer there.

AnsweredApril 16, 2015 - 3:57pm

Comments (2)

  • fg's picture

    Hi Adm,

    Thanks for pointing that out. I am totally new to this but would the query look something like this?

    Query <QueryList> \

               <Query Id="1">\

                  <Select Path="Application">*[Source[(Source=PlatformService')]]</Select>\

               </Query>\

          </QueryList>

    April 20, 2015 - 11:13pm
  • adm's picture
    (NXLog)

    Looks ok. It will give an error in nxlog.log if there is something wrong with the config.

    April 21, 2015 - 9:32am