NXlog config error for DC events | Log collection solutions

#1 tyros77 3 years ago

Hello,

I am having issues setting up the config file for NXlog to pull security events from DC and send to Graylog for my school Capstone project. In the log I keep getting an error "Couldnt parse Exec block at ... couldnt parse statement at line 58, character 218 in .... sytnax error, unexpected )". I utilized a config setup from NXlog documentation and adjusted for my needs. I am not sure what is wrong as the exec block looks proper to me. Here is what I have in my config file:

define SecuritySrc Microsoft-Windows-Security-Auditing

<Input DC_events> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security">*[System[Provider[ @Name='%SecuritySrc%']]] </Select> </Query> </QueryList> </QueryXML> <Exec> if not (defined($SourceName) and ($EventID IN (%SecurityIDs%) and $SourceName == "%SecuritySrc%")) <------ line 58 drop(); </Exec> </Input>

I appreciate any help on this!

Permalink

#2 b0ti Nxlog ✓ 3 years ago

#1 tyros77

Hello, I am having issues setting up the config file for NXlog to pull security events from DC and send to Graylog for my school Capstone project. In the log I keep getting an error "Couldnt parse Exec block at ... couldnt parse statement at line 58, character 218 in .... sytnax error, unexpected )". I utilized a config setup from NXlog documentation and adjusted for my needs. I am not sure what is wrong as the exec block looks proper to me. Here is what I have in my config file: define SecuritySrc Microsoft-Windows-Security-Auditing <Input DC_events> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security">*[System[Provider[ @Name='%SecuritySrc%']]] </Select> </Query> </QueryList> </QueryXML> <Exec> if not (defined($SourceName) and ($EventID IN (%SecurityIDs%) and $SourceName == "%SecuritySrc%")) <------ line 58 drop(); </Exec> </Input> I appreciate any help on this!

You probably don't have %SecurityIDs% defined.