amazon-cloudwatch-agent icon indicating copy to clipboard operation
amazon-cloudwatch-agent copied to clipboard
verified publisher icon aws

Filter Windows Events on Event ID in cloudwatch agent config and only forward matching events to cloudwatch logs

Open mdgm88 opened this issue 1 year ago • 1 comments

Is your feature request related to a problem? Please describe. Trying to only get a few specific Windows Event IDs for Security forwarded to CloudWatch logs. Sending Information logs without any filtering it is far too verbose for keeping for say a year or two.

Describe the solution you'd like Filter added to the config to only forward event ids from a list to CloudWatch logs

mdgm88 avatar Oct 16 '24 22:10 mdgm88

Hi @mdgm88,

would using the filters feature work for your use case?

something along the lines of

"collect_list": [ 
  {
    "file_path": "/opt/aws/amazon-cloudwatch-agent/logs/test.log", 
    "log_group_name": "test.log", 
    "log_stream_name": "test.log",
    "filters": [
      {
        "type": "exclude",
        "expression": "Firefox"
      },
      {
        "type": "include",
        "expression": "P(UT|OST)"
      }
    ]
  },
  .....
]

the-mann avatar Jan 10 '25 22:01 the-mann

As mentioned above, try out the filters feature and let us know if that solves your requirements. Feel free to re-open if you have any further questions.

sky333999 avatar Nov 28 '25 20:11 sky333999