Limiting the flow of events to the Windows OS Event Log Insight Pack

An optional set of steps the purpose of which is to limit the events flowing to the Windows OS Event Log Insight Pack.

1. On the Windows server edit the fmt file (See steps above for configuring the tivoli LFA) as follows. For more information about how to configure the IBM® Tivoli® Monitoring Log File Agent, see Integrating the Windows OS Events Insight Pack with the Log File Agent.

   Update the .fmt file from:

   // Matches records for any Log file and converst to csv format: 
   // 
   REGEX AllRecords 
   ^([A-Z][a-z]{2} [0-9]{1,2} [0-9]{1,2}:[0-9]{2}:[0-9]{2} [0-9]{4}) 
   [0-9] (\S+) (\S+) (\S+) (\S+) ([0-9]+) (.*) 
   hostname LABEL 
   -file FILENAME 
   RemoteHost DEFAULT 
   logpath "WindowsOSEventsLFA" 
   text PRINTF("%s,%s,%s,%s,%s,%s,%s,%s",file,$2,$3,$4,$5,$6,$7,$8) 
   END

   To:

   // Matches records for any Log file and converst to csv format: 
   // 
   REGEX AllRecords 
   ^([A-Z][a-z]{2} [0-9]{1,2} [0-9]{1,2}:[0-9]{2}:[0-9]{2} [0-9]{4}) 
   [0-9] (Warning|Error|Critical) (\S+) (\S+) (\S+) ([0-9]+) (.*)
   hostname LABEL 
   -file FILENAME 
   RemoteHost DEFAULT 
   logpath "WindowsOSEventsLFA" 
   text PRINTF("%s,%s,%s,%s,%s,%s,%s,%s",file,$2,$3,$4,$5,$6,$7,$8) 
   END

   This will limit the events being sent to IBM Operations Analytics - Log Analysis to those of type Warning or Error or Critical. No 'Information' events will be sent to IBM Operations Analytics - Log Analysis.
2. Restart the LFA instance using the Manage Tivoli Enterprise Monitoring service application