giveen
Reputation: 43
Delete fields from NXLOG
I am trying to reduce the size of the message sent from my Windows event logs to graylog and I cannot for the life of me figuring out how tell it to drop certain fields
The only thing I can figure out is that i'm supposed to use delete() but how to use and where to place it in my config is very frustrating.
What I have so far is:
Exec $Message = delete($TargetLogonID);
But this results in:
Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:67; couldn't parse statement at line 67, character 39 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; function 'delete()' does not exist or takes different arguments
Upvotes: 0
Views: 560
Answers (1)
giveen
Reputation: 43
I think I figured it out. In my <Input eventlog>
I added
Exec delete($SubjectLogonId);
Exec delete($KeyLength);
Exec delete($Keywords);
Exec delete($SubjectUserSid);
Exec delete($ThreadID);
Exec delete($TransmittedServices);
Exec delete($Version);
Exec delete($LogonGuid);
Exec delete($LmPackageName);
Exec delete($ImpersonationLevel);
Exec delete($RecordNumber);
Exec delete($SourceModuleType);
Exec delete($AuthenticationPackageName);
Exec delete($OpcodeValue);
Exec delete($ProcessID);
Exec delete($ProcessName);
Exec delete($ProviderGuid);
Exec delete($TargetLogonId);```
Upvotes: 0
Related Questions
- How to remove unwanted fields logstash (ELK)
- Removing unwanted fields in Logstash configuration file
- NXLOG how to merge multilines regex
- How to manually purge data from Graylog 2.1
- NLog.config -> Deleting old logfiles possible?
- Send log to a specific Graylog Index via Nxlog configuration
- How to get rid of N/A from logs forwarded by nxlog?
- Logstash remove fields by regex
- Delete a specific log message from Graylog
- replace NLog in Azure