Delete fields from NXLOG

Question

I am trying to reduce the size of the message sent from my Windows event logs to graylog and I cannot for the life of me figuring out how tell it to drop certain fields

The only thing I can figure out is that i'm supposed to use delete() but how to use and where to place it in my config is very frustrating.

What I have so far is: Exec $Message = delete($TargetLogonID);

But this results in: Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:67; couldn't parse statement at line 67, character 39 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; function 'delete()' does not exist or takes different arguments

Answer 1

I think I figured it out. In my <Input eventlog>

I added

  Exec delete($SubjectLogonId);
  Exec delete($KeyLength);
  Exec delete($Keywords);
  Exec delete($SubjectUserSid);
  Exec delete($ThreadID);
  Exec delete($TransmittedServices);
  Exec delete($Version);
  Exec delete($LogonGuid);
  Exec delete($LmPackageName);
  Exec delete($ImpersonationLevel);
  Exec delete($RecordNumber);
  Exec delete($SourceModuleType);
  Exec delete($AuthenticationPackageName);
  Exec delete($OpcodeValue);
  Exec delete($ProcessID);
  Exec delete($ProcessName);
  Exec delete($ProviderGuid);
  Exec delete($TargetLogonId);```