Doing a regexp like this might not be the cleanest solution:
Exec if $raw_event =~ /INFO\s+4648/ drop();
Instead you should do this:
Exec if ($EventType == 'INFO' and $EventID == 4648) drop();
Note that $EventID is unique within each source, so you should also check $SourceName.
Comments (4)
Thank on fast answer.
And how would be the proper way of droping all verbos, information, and warning EventType-s:
This do the job for application and system logs, but unfortunately not for security logs:
Exec if ($EventType == 'VERBOSE') OR ($EventType == 'Verbose') drop();
Exec if ($EventType == 'INFORMATION') OR ($EventType == 'Information') drop();
Exec if ($EventType == 'WARNING') OR ($EventType == 'Warning') drop();
Log sending is not consistent for all eventtypes. Is this a know bug maybe?
We're on version nxlog-ce-2.9.1347.
Thanks!
There is also AUDIT_SUCCESS and AUDIT_FAILURE.
Hi,
i have the folowing sentence at the end of input tag:
Exec if ($EventType == 'VERBOSE') OR ($EventType == 'INFORMATION') OR ($EventType == 'WARNING') OR ($EventType == 'AUDIT_FAILURE') OR ($EventType == 'AUDIT_SUCCESS') drop();
Unfortunately still geting informational events. Any idea?
Thanks!
That should be $EventType == 'INFO'
I suggest using to_json() which will convert the fields into a structured format and you will be able to see what the data looks like in order to write the proper expressions for.