0

I am using Nxlog to forward my Windows Server logs to LogStash and trying to remove messages from LogStash that are not equal to a given windows eventId. What is the correct syntax for this?

Here is what i have tried:

if [type] == "WindowsLog" {
            if      [EventID] <> 123
                    {

                            drop { }
            }

and:

 if [type] == "WindowsLog" {
            if      ![EventID] == 123
                    {

                            drop { }
            }

and

if [type] == "WindowsLog" {
            if      [EventID] != 123
                    {

                            drop { }
            }
CBE
  • 11
  • 1
  • The last one should be fine (except that it's missing a closing brace at the end, but I assume that's a copy/paste mistake), but it probably requires that your EventID field is an integer field (and not a string field). Is it? – Magnus Bäck Mar 08 '15 at 12:46
  • Thank you, i added it to its own if statement as it had other statements below there where i was trying to add tags. I now have it working but only for a single EventID. When trying to add an or statement it seems to drop all events. ` if [type] == "WindowsLog" { if [EventID] != 538 or [EventID] != 540 { drop { } } } – CBE Mar 08 '15 at 14:47
  • Yes, because no matter what event id you have, it's either not equal to 538 _or_ it's not equal to 540. You want to drop messages whose event id is not equal to 538 _and_ not equal to 540. – Magnus Bäck Mar 08 '15 at 19:47
  • In this instance, 538 and 540 are both the events i want to keep (im using these 2 to test as they are common in my logs). Using the AND operator, i only get the 538 messages and not the 540? – CBE Mar 09 '15 at 04:56
  • Then I don't know what's up. Logically it's the correct condition; if the event id isn't 538 and isn't 540, drop the message. – Magnus Bäck Mar 09 '15 at 06:53

1 Answers1

0

[EventID] == 123 this should match and then you can drop.

bravosierra99
  • 1,331
  • 11
  • 23