Skip to content
This repository has been archived by the owner on Mar 13, 2018. It is now read-only.

EventId from Windows Eventlog is not the same in graylog #50

Open
mafiore opened this issue Aug 5, 2015 · 1 comment
Open

EventId from Windows Eventlog is not the same in graylog #50

mafiore opened this issue Aug 5, 2015 · 1 comment

Comments

@mafiore
Copy link

mafiore commented Aug 5, 2015

Example: In the EventLog the ID ist 7036.
In the corresponding graylog entry I can only find
event_id 1073748860
event_record_number 29773.

hmmm...
@ivofrolov
Copy link

It's a feature of windows eventlog API (or java library itself) I suppose. Anyway I use this Drools rule to fix the problem.

import org.graylog2.plugin.Message

rule "Rewrite Windows Eventlog Event Id"
    when
        m : Message(hasField("event_id"))
    then
        m.addField("event_id", Long.parseLong(String.valueOf(m.getField("event_id"))) & 0xFFFF);
end

@kashok7474 kashok7474 mentioned this issue Aug 18, 2022
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ivofrolov @mafiore