1. Help Center
  2. Ingesters and connectors

Is there a way to specify how or what log files are ingested by syslog and the windows agent? Could it only ingest critical and or warnings?

Yes, this is configurable in Gravwell or at the source. Here are some details and an example.

Windows Events:
For updating the windows agent config post install look for the following:
config.cfg file located in "%PROGRAMDATA%\gravwell\eventlog\config.cfg"
In the config.cfg file you can specify the windows event level you want to collect (example below, bold is where I added to default config)
[EventChannel "system"]

#no Tag-Name means use the default tag

Tag-Name=windows

#no Provider means accept from all providers

#no EventID means accept all event ids

#no Level means pull all level

Level=critical

Level=error

Level=warning

#no Max-Reachback means look for logs starting from now

Channel=System #pull from the system channel
The levels specified above are just an example and grab the top 3 levels omitting information and verbose. I would start here and see if it helps with the log overload. You can even filter down to the Event ID level but let's leave that for later if we need. Make sure to apply these Level= settings for each [EventChannel "Name"]
Syslog:
Best way here is to tune the source of the syslog messages at the source. Not knowing your system exactly please let me know if you would like to get on a call for more assistance. Typical configurations would only send Syslog Level 4 and higher (up to 0)
 
If you have any questions about this please do not hesitate to reach out to support@gravwell.io.