Filter Virtual Logs at the Agent

In some scenarios, you may want to filter or drop raw logs at the Agent so they are not sent to the Data Processor, reducing bandwidth and resource consumption on the Data Processor. Potential benefits of filtering logs at the Agent include:

  • Saves network bandwidth
  • Reduces the messages per second (MPS) of the deployment
  • Reduces the number of Data Processors needed

Agent prerequisites for filtering virtual logs:

  • 7.3.x or higher
  • Windows or Linux

When logs are filtered at the Agent, they cannot be recovered.

  1. Create a new virtual log source and enable the Drop Logs option. For more information, see Create Virtual Log Sources.
  2. Enable virtualization on a new or existing Log Source.
  3. Open the properties of a new or existing Log Message Source.
  4. Click the Log Source Virtualization tab.
  5. Select the Enable Virtualization check box.
  6. Click Create Virtual Log Sources.
  7. Select the appropriate template under Log Source Virtualization Template.
  8. Select the Action check box for the virtual log sources to be included, and then save your changes.
