5.5. Filtering messages

The syslog-ng Agent for Windows application can filter log messages in a blacklist-fashion: you can define filters, and any message that matches the filters is ignored by the agent — only messages that do not match the filters are sent to the central server. In other words, the filters are connected to each other with logical OR operations.

Different filters are available for eventlog- and file sources. When the syslog-ng agent processes a message, it checks the relevant filters on-by-one: if it finds a filter that matches the message, the agent stops processing the message without sending it to the server.

	Note
	By default, all filters are case sensitive. To change this behavior, see Section 5.3.3, “Global settings of the syslog-ng agent”.

The following types of filters are available for eventlog sources:

Sources and Event ID: Filter on the source (application) that created the message, and optionally on the identification number of the event. Corresponds with the EVENT_SOURCE and EVENT_ID macros.
Message Contents: Filter the text of the message, i.e., the contents of the EVENT_MESSAGE macro.
Sources and Categories: Filter on the source (application) that created the message, and optionally on the category of the event. Corresponds with the EVENT_SOURCE and EVENT_CATEGORY macros. Note that leaving the category field empty equals with the none category of the Event Viewer.
Users: Filter on the username associated with the event. Corresponds with the EVENT_USERNAME macro.
Computers: Filter on the name of the computer (host) that created the event. Corresponds with the HOST macro.
Event Types: Filter on the type of the event. Corresponds with the EVENT_TYPE macro.

To modify the filters used for eventlog messages, complete the following procedure:

Procedure 5.5.1. Filtering eventlog messages

Start the configuration interface of the syslog-ng Agent for Windows application.
Select syslog-ng Agent Settings > Eventlog Sources > Filters, and double-click on the type of filter you want to create.

To ignore messages sent by a specific application, or messages of the application with a specific event ID, double-click on Sources and Event ID, select Add, and select the name of the source (application) whose messages you want to ignore from the Source Name field. To ignore only specific messages of the application, enter the ID of the event into the Event ID field. Select Add > Apply.
To ignore messages that contain a specific string or text, double-click on Message Contents, enter the search term or a regular expression into the Regular Expression field, then select Add > Apply.
To ignore messages sent by a specific application, or messages of the application that fall into a specific category, double-click on Sources and Categories, select Add, and select the name of the application whose messages you want to ignore from the Application Name field. To ignore only those messages of the application that fall into a specific category, enter the name of the category into the Category field. Select Add > Apply.
To ignore messages sent by a specific user, double-click on Users, enter the name of the user into the User field, then select Add > Apply.
To ignore messages sent by a specific computer (host), double-click on Computers, enter the name of the user into the Computer field, then select Add > Apply.

Event Types: To ignore messages of a specific event-type, double-click on Event Types, select the event types to ignore, and select Ok > Apply.

Note

Under Windows Vista and Server 2008, Windows labels certain messages as level 3 and the Event Viewer labels such messages as warnings. This is against the official specification: level 3 should not be used; and only level 2 messages are warnings. To filter these events, you have to manually add a new event type to the registry and set its value to 3, e.g., HKEY_LOCAL_MACHINE\SOFTWARE\BalaBit\syslog-ng Agent\Local Settings\EventSources\Filter\Type\Rule0\Type=3

Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

The following types of filters are available for file sources:

Message Contents: Filter the text of the message, i.e., the contents of the FILE_MESSAGE macro.

To modify the filters used for file messages, complete the following procedure:

Procedure 5.5.2. Filtering file messages

Start the configuration interface of the syslog-ng Agent for Windows application.
Select syslog-ng Agent Settings > File Sources > Filters, and double-click on the type of filter you want to create.
- To ignore messages that contain a specific string or text, double-click on Message Contents, enter the search term or a regular expression into the Regular Expression field, then select Add.
Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

Prev	Up	Next
5.4.3. Importing certificates with the Microsoft Management Console	Home \| Contents	5.6. Customizing the message format

The syslog-ng 3.0 Administrator Guide

Document version: Thirteenth
Release date: September 23, 2010
Latest version available at the BalaBit Documentation Page