Is there a way to specify how or what log files are ingested by syslog and the windows agent? Could it only ingest critical and or warnings?

Modified on Fri, 17 Nov 2023 at 07:26 AM

Yes, this is configurable in Gravwell or at the source. Here are some details and an example.

Windows Events:
For updating the Windows agent config post-install look for the following:
config.cfg file located in "%PROGRAMDATA%\gravwell\eventlog\config.cfg"
In the config.cfg file, you can specify the Windows event level you want to collect (example below, bold is where I added to default config)
[EventChannel "system"]

#no Tag-Name means use the default tag


#no Provider means accept from all providers

#no EventID means accept all event ids

#no Level means pull all level




#no Max-Reachback means look for logs starting from now

Channel=System #pull from the system channel
The levels specified above are just examples, and grab the top 3 levels omitting information and verbose. I would start here and see if it helps with the log overload. You can even filter down to the Event ID level but let's leave that for later if we need. 
Note: Make sure to apply these Level= settings for each [EventChannel "Name"]

The best way here is to tune the source of the syslog messages at the source. Not knowing your system exactly please let me know if you would like to get on a call for more assistance. Typical configurations would only send Syslog Level 4 and higher (up to 0)
If you have any questions about this, please do not hesitate to reach out to

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article