Hi!
I have 3 questions.
I have a parser file hereunder:
1:
Is there a simpler method to exclude events with predefined event id? (e.g.: 5,1006,1008,...)
2:
I manage Windows 7, Windows Server 2008 and Windows Server 2012, and i see that the severity levels are the following:
Critical =1
Error=2
Warning =3
Information=4
The above example captures only Windows error level events. How to set the <level> parameter to capture Windows critical events? (And, of course, how to combine the values?)
3:
With the above parser, the agent always misses the event with event id 1. What could be the reason?
I have 3 questions.
I have a parser file hereunder:
Quote<parser>
<file>*Application</file>
<rules>
<rule>
<match>(.*)</match>
<id>5</id>
</rule>
<rule>
<match>(.*)</match>
<id>1006</id>
</rule>
<rule>
<match>(.*)</match>
<id>1008</id>
</rule>
<rule>
<match>(.*)</match>
<id>1023</id>
</rule>
<rule>
<match>(.*)</match>
<id>1057</id>
</rule>
<rule>
<match>(.*)</match>
<id>12014</id>
</rule>
<rule>
<match>(.*)</match>
<level>1</level>
<event params="1">100003</event>
</rule>
</rules>
</parser>
1:
Is there a simpler method to exclude events with predefined event id? (e.g.: 5,1006,1008,...)
2:
I manage Windows 7, Windows Server 2008 and Windows Server 2012, and i see that the severity levels are the following:
Critical =1
Error=2
Warning =3
Information=4
The above example captures only Windows error level events. How to set the <level> parameter to capture Windows critical events? (And, of course, how to combine the values?)
3:
With the above parser, the agent always misses the event with event id 1. What could be the reason?