1
response

This works but I'm trying to filter out a service account username that is for cron tasks and is making the logs super noisy on my syslog server:
# Collecting event log
<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Security">*</Select>
<Select Path="SentinelOne/Operational">*</Select>
<Select Path="Application">*</Select>
</Query>
</QueryList>
</QueryXML>
Exec $Message =~ s/(\t|\R)/ /g; to_syslog_bsd();
</Input>

I tried Exec block filtering but any attempt to add xml code that filtered on the "Exec" line made all logs stop coming in. What would be the correct syntax for suppressing a username that's dedicated to cron tasks and is making the logs super noisy?
Thanks all in advance.
CB

AskedApril 2, 2022 - 7:39pm

Answer (1)

To filter events, you can use the example listed in the manual regarding im_msvistalog.

The example uses an exact match, but you could also use regex.

<Input in>
    Module  im_msvistalog
    Exec    if ($TargetUserName == 'SYSTEM') OR \
               ($EventType == 'VERBOSE') drop();
</Input>

You could also provide a list using the IN format if $TargetUserName IN ("Name1","Name2")


Alternatively, you could use XPath filtering as suggested here

This should get you where you need to be.