topic Re: Log Ingest in Log Analytics

Log Ingest

Pabloabad — Fri, 18 Oct 2024 08:56:25 GMT

Good morning,
I have activated the option to ingest the logs from the wiondows event viewer, but I would like to ingest only the logs that come from a specific "winlog.provider".
Is it possible to do this and not ingest the rest? or should I always filter from logs and events to be able to see it?

Re: Log Ingest

Esam_Eid — Thu, 20 Jun 2024 10:13:27 GMT

you need to create processing rule to drop the unwanted logs

https://docs.dynatrace.com/managed/observe-and-explore/log-monitoring/log-processing/log-processing-examples#lpexample12

https://docs.dynatrace.com/managed/shortlink/log-monitoring-log-processing-examples

Regards,

Re: Log Ingest

Pabloabad — Thu, 20 Jun 2024 11:08:00 GMT

Thanks for the answer.

But actually is harder for us to filter out all the logs that we don't want than filter in the ones that we want.

Is it posible to make a rule to filter only the logs we want?

Re: Log Ingest

Esam_Eid — Thu, 20 Jun 2024 12:19:04 GMT

Create a processing rule like

matcher

log.source="Windows Application Log" AND winlog.provider!=".Net Runtime" AND dt.entity.process_group_instance="XXXXXXX"

process definition

FILTER_OUT(true)

move it to the last rule

Hopefully it will work for you

Re: Log Ingest

Pabloabad — Thu, 20 Jun 2024 15:09:41 GMT

Still get this response in DQL Query

Re: Log Ingest

Eric_Yu — Thu, 20 Jun 2024 15:41:11 GMT

Seems like there isn't a filter for winlog.provider, but a workaround could be to use another property that you've identified that only comes with logs that come from that provider.

My first thought would be to use the log content with wildcards for matching:

However, you can try other attribute that makes more sense to you. Hope it helps.

Re: Log Ingest

Esam_Eid — Thu, 20 Jun 2024 16:24:29 GMT

Try Without matchesvalues. Are you using classic logs?