Yes, this is configurable in Gravwell or at the source. Here are some details and an example.
Windows Events:
For updating the Windows agent config post-install look for the following:
config.cfg file located in "%PROGRAMDATA%\gravwell\eventlog\config.cfg"
In the config.cfg file, you can specify the Windows event level you want to collect (example below, bold is where I added to default config)
[EventChannel "system"]
#no Tag-Name means use the default tag
Tag-Name=windows
#no Provider means accept from all providers
#no EventID means accept all event ids
#no Level means pull all level
Level=critical
Level=error
Level=warning
#no Max-Reachback means look for logs starting from now
Channel=System #pull from the system channel
The levels specified above are just examples, and grab the top 3 levels omitting information and verbose. I would start here and see if it helps with the log overload. You can even filter down to the Event ID level but let's leave that for later if we need.
Note: Make sure to apply these Level= settings for each [EventChannel "Name"]
Syslog:
The best way here is to tune the source of the syslog messages at the source. Not knowing your system exactly please let me know if you would like to get on a call for more assistance. Typical configurations would only send Syslog Level 4 and higher (up to 0)
If you have any questions about this, please do not hesitate to reach out to support@gravwell.io.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article