从NXLOG中删除字段

Question

我正在尝试将从我的Windows事件日志发送的消息大小减少到灰色日志，但我终生无法弄清楚如何告诉它删除某些字段

我能弄明白的唯一一件事是我应该使用delete()，但是如何使用以及在我的配置中把它放在哪里是非常令人沮丧的。

到目前为止，我所拥有的是：Exec $Message = delete($TargetLogonID);

但这会导致：Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:67; couldn't parse statement at line 67, character 39 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; function 'delete()' does not exist or takes different arguments

Answer 1

我想我想通了。在我的<Input eventlog>

我添加了

  Exec delete($SubjectLogonId);
  Exec delete($KeyLength);
  Exec delete($Keywords);
  Exec delete($SubjectUserSid);
  Exec delete($ThreadID);
  Exec delete($TransmittedServices);
  Exec delete($Version);
  Exec delete($LogonGuid);
  Exec delete($LmPackageName);
  Exec delete($ImpersonationLevel);
  Exec delete($RecordNumber);
  Exec delete($SourceModuleType);
  Exec delete($AuthenticationPackageName);
  Exec delete($OpcodeValue);
  Exec delete($ProcessID);
  Exec delete($ProcessName);
  Exec delete($ProviderGuid);
  Exec delete($TargetLogonId);```