-
标题
Filtering Windows Agent Logs Using Metadata on SSB -
说明
This document's purpose is to assist with filtering logs using metadata whose source is the Syslog-ng Agent for Windows -
解决办法
The list of added metadata (macros) can be found in the Syslog-ng Agent for Windows admin guide.
In order to filter by metadata, the comparative filter needs to be used for Syslog-ng Agent for Windows logs.
(See "Comparing macro values in filters" in the Syslog-ng PE Admin guide)The comparative filter calls the metadata (macro) and compares it to a value using numerical or string operators.
Numerical operators are used for numerical values and string operators for non-numerical values (alphabetical character strings).
Additionally, the metadata is case-sensitive, examples of filters can be found below.
The value being compared against the metadata (macro) can use Regular Expressions (RegEx).
NOTE - Boolean operators can be used to combine multiple filter statements (and, or, not).Examples of filters within the Syslog-ng Store Box (SSB):
"${.SDATA.win@18372.4.EVENT_SOURCE}" eq "Microsoft\ Windows\ security\ auditing\."
"${.SDATA.win@18372.4.EVENT_ID}" == "5156"