Answer (1)

Doing a regexp like this might not be the cleanest solution:

Exec if $raw_event =~ /INFO\s+4648/ drop();

Instead you should do this:

Exec if ($EventType == 'INFO' and $EventID == 4648) drop();

Note that $EventID is unique within each source, so you should also check $SourceName.

Comments (4)

  • bgrzinic's picture

    Thank on fast answer.

    And how would be the proper way of droping all verbos, information, and warning EventType-s:

    This do the job for application and system logs, but unfortunately not for security logs:

    Exec if ($EventType == 'VERBOSE') OR ($EventType == 'Verbose') drop();
    Exec if ($EventType == 'INFORMATION') OR ($EventType == 'Information') drop();
    Exec if ($EventType == 'WARNING') OR ($EventType == 'Warning') drop();

    Log sending is not consistent for all eventtypes. Is this a know bug maybe?

    We're on version nxlog-ce-2.9.1347.



  • bgrzinic's picture



    i have the folowing sentence at the end of input tag:

    Exec if ($EventType == 'VERBOSE') OR ($EventType == 'INFORMATION') OR ($EventType == 'WARNING') OR ($EventType == 'AUDIT_FAILURE') OR ($EventType == 'AUDIT_SUCCESS') drop();

    Unfortunately still geting informational events. Any idea?


  • adm's picture

    That should be $EventType == 'INFO'

    I suggest using to_json() which will convert the fields into a structured format and you will be able to see what the data looks like in order to write the proper expressions for.