我正在尝试减小从 Windows 事件日志发送到灰色日志的消息的大小,但我终其一生都无法弄清楚如何告诉它删除某些字段
我唯一能弄清楚的是我应该使用 delete() 但如何使用以及将其放置在我的配置中的位置非常令人沮丧。
到目前为止,我所拥有的是:
Exec $Message = delete($TargetLogonID);
但这会导致:
Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:67; couldn't parse statement at line 67, character 39 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; function 'delete()' does not exist or takes different arguments
我想我想通了。在我的<Input eventlog>
我添加了
Exec delete($SubjectLogonId);
Exec delete($KeyLength);
Exec delete($Keywords);
Exec delete($SubjectUserSid);
Exec delete($ThreadID);
Exec delete($TransmittedServices);
Exec delete($Version);
Exec delete($LogonGuid);
Exec delete($LmPackageName);
Exec delete($ImpersonationLevel);
Exec delete($RecordNumber);
Exec delete($SourceModuleType);
Exec delete($AuthenticationPackageName);
Exec delete($OpcodeValue);
Exec delete($ProcessID);
Exec delete($ProcessName);
Exec delete($ProviderGuid);
Exec delete($TargetLogonId);```