yamlevent-vieweropen-telemetry-collectorotel

Windows Event Viewer logs - OpenTelemetry Collector config.yaml - how to filter by event_id

I am trying to figure out filtering the Event Viewer - System logs by using otelcol-contrib.exe and config.yaml.

Condition 1: -Filter (not show) if the severity is higher than 16 (Error logs). I can do it with the config below (there is no problem):

receivers:
  windowseventlog/system:
    channel: system 

processors:
  filter:
    logs:
      log_record:
        - 'severity_number < 16'

Condition 2: -I also want to show only the event_ids with 41 and 7 in System logs.

How can I apply the condition 2, could you please help me?

This is basically what I am trying to show

https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/windowseventlogreceiver

https://github.com/open-telemetry/opentelemetry-log-collection/blob/main/docs/operators/windows_eventlog_input.md

I tried to exclude those event_id's however it didn't work.

Solution

  • To only keep events that have event ID 41 or 7, use the following Filter processor configuration:

    processors:
  filter/keep-41-and-7:
    logs:
      log_record:
        - body["event_id"]["id"] != 41 and body["event_id"]["id"] != 7