Filter logs at the Windows client (NXlog)

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
Locked
tim620
Posts: 4
Joined: Tue May 07, 2019 1:37 pm

Filter logs at the Windows client (NXlog)

Post by tim620 »

Right now our Windows systems are sending everything to the log server. In a few cases this is millions of logs per day and is causing performance issues on the log server itself, as well as rapidly filling up our storage.

How do we filter logs on the NXlog client prior to them being sent to the log server itself?
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: Filter logs at the Windows client (NXlog)

Post by ssax »

You would modify the nxlog.conf on the Windows system to either drop the ones you don't want or keep the ones you do want:

https://nxlog.co/documentation/nxlog-us ... ering.html

See the Exec drop at the bottom here:

Code: Select all

# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
    Module im_msvistalog
 
	<QueryXML>
		<QueryList>
			<Query Id='0'>
				<Select Path='System'>*</Select>
				<Select Path='Application'>*</Select>
				<Select Path='Security'>*</Select>
			</Query>
		</QueryList>
	</QueryXML>
	<Exec>
	    if not ($EventID in (12345, 22222))
	    drop();
	</Exec>
</Input>
Locked