Syslog and Windows Event Log Forwarder

Hi,Is it possible to filter out certain windows events. For example, we receive certain warning events on one of our servers that we can disregard. But the event forwarder forwards them on. Is there any way to filter them out? Thanks

Find more posts tagged with

syslog_filter

Accepted answers

All comments

aLTeReGo

Absolutely. The process is the same as creating an alert for any Syslog message. Go into the Syslog Viewer, click on "Alerts / Filter Rules" and create the criteria for the messages you wish to disregard. On the "Alert Actions" tab click "Add New Action" and select "Discard the Syslog Message".

craig999

Thanks alterego.

Just a couple more questions. So one of the keywords in my message the is coming through is TermServDevices . If i wanted to filter out any syslog message that came through with that would I add it to

Message Type Pattern as *TermServDevices*

Thanks

Craig

aLTeReGo

This looks right, but without the original syslog message to look at I can't definitely confirm it's correct. Give it a shot though, it should work.

craig999

Hmm.. I gave it a go.. but still get the message coming through... any other ideas

tonyreel

Hi Craig,

You need to add the action "Stop Processing Syslog Rules" to the same rule that discards the message. The parser runs through all the rules from top to bottom unless it is told to stop by a triggered rule, so make sure your discard rule is above any other rules that forward messages.

rneiraaz

I have both of my discard rules set up with a 'stop processing syslog rules' action at the end, and the messages are still not being discarded. One post says this is a bug in the Syslog Viewer...?

tonyreel

Strange, I have had our parsers doing this very task for some time. You may have done some or all of these but the below steps is how I troubleshoot any issues with the parser.

Put the rule in question at the top of the list so that no other rules are having any affect (i.e if one of them is even taging the trap then it will keep it and not completly discard it, I think.)

Once the rule is at the top put an action in to tag the traps and leave it for a while. The traps you want to discard should be tagged. If not then the issue is with the matching conditions and not the discard action.

Once the messages are being tagged correctly, remove the action to tag (important to remove this) and add the actions to discard and stop processing (I always do them in that order but not sure if that makes a difference).

If the parser was able to tag the messages but is then not able to discard them then it would look like there is a discard bug with your install but as I said it has been working fine for me in the last two versions - I am currently running all the latest version of everything.

Hope this helps

bshopp

If this is still an issue for you please open a support ticket