The event log file for Microsoft ISA or Microsoft TMG might contain comment markers. Comments must be filtered from the event message.
-
From the Start menu, select .
The Syslog-ng Agent window is displayed.
-
Expand the Syslog-ng Agent Settings pane, and select
Destinations.
-
Right-click on your IBM
QRadar
Syslog destination and select .
The Global event filters Properties window is displayed.
-
Configure the following values:
- From the Global file filters pane, select
Enable.
- From the Filter Type pane, select Black List
Filtering.
-
Click OK.
-
From the Filter List menu, double-click Message
Contents.
The Message Contents Properties window is displayed.
-
From the Message Contents pane, select
Enable.
-
In the Regular Expression field, type the following regular
expression:
-
Click Add.
-
Click Apply, and then click OK.
The event messages with comments are no longer forwarded.
Note: You might need to restart Syslog-ng Agent for Windows service to begin syslog forwarding. For more information, see your BalaBit Syslog-ng Agent documentation.