hi,
we are in the process of testing out log insights as our global log repository and are running into some issues which are likely syntax but I'm just not sure.
one of the servers we are testing with throws a whole lot of v4_GUID events, and we want to prevent those from being logged at ale
at the agent configuration we are trying:
[winlog|db-windows-application]
channel=Application
enabled=yes
blacklist = event_type == "v4_f39b2ea6"
but this doesn't seem to work
then at the filter query level I've tried "event_type" "is not" "v4_*" which also does not seem to work...
can anyone help out with some pointers as to why neither approach is working?
Thanks in advance
this ended up being a syntax error -_-
the corrected form is:
[winlog|db-windows-application]
channel=Application
enabled=yes
blacklist=event_type == "v4_f39b2ea6", event_type == "v4_3fd251c1"
Hi
Afaik, event type is generated by log insight when ingested. So not at source. Also the event type is only unqie to your installation.
Normally when filters are used its to include something. I have not used it to exclude stuff.
Also could you provide an example of what you dont want getting into log insight?p
this ended up being a syntax error -_-
the corrected form is:
[winlog|db-windows-application]
channel=Application
enabled=yes
blacklist=event_type == "v4_f39b2ea6", event_type == "v4_3fd251c1"