Filtering event logs through nxlog.conf

[sgiworks]

Hello Team,

Can you have filters set on the Nagios Log Server clients - nxlog.conf? so that filter the type of events to be forwarded, instead of forwarding all the event logs from the clients to the Nagios Log Server.

Regards,
Swapnil

[sgiworks]

Attached current nxlog file for your reference, do let us know is you need more details from our end?

[mcapra]

You can configure nxlog to discard certain events, yes. If you could provide some sample logs and indicate which events you would like to discard, we can assist with this.

[sgiworks]

We want to discard all, and only allow event to be pushed with specific event ID. Is it possible?

[mcapra]

That's pretty easy to handle as a Logstash filter. Using the ID 4634 as an example:

Code: Select all

if [type] == 'eventlog' {
    if [EventID] != '4634' {
        drop{}
    }
}

If you still wanted to do this from within nxlog, it might look something like this in the Input definition:

Code: Select all

Exec if string($EventID) !~ /^4634/ drop();

[sgiworks]

Yes, we will definitely need to nxlog.conf updated. Because we don't want network load for forwarding all the logs from all servers to Nagios Log Server.
We will try below command and keep you posted.
Exec if string($EventID) !~ /^4634/ drop()

Do you know the log forwarding frequency from nxlog.conf

Regards,
Swapnil

[mcapra]

Just as an FYI, there was a syntax error in my original post. The line should be as follows for EventID 4634:

Code: Select all

Exec if string($EventID) !~ /^4634/ drop();

Do you know the log forwarding frequency from nxlog.conf

I don't think you can set a poll frequency for the event log input modules (im_internal or im_vista typically), so it's approximately "whenever the system gets around to the nxlog operations".