Request trial
Request Trial

How to forward Event ID's for specific process names

Tags: windows events
#1 Neeraj79

Hello, We are using NXLOG to forward our windows event viewer logs to our syslog server. On our Windows clients, we have enabled process auditing, so this logs 1000s of events for every process that gets launched and terminated. There is a common event ID - 4688 when a process gets created (launched) . If we launch 5 different programs/processes on the Windows client, this in turn creates 5 events each with the same event ID 4688 but the actual message in each event contains the name of the corresponding process or program that was launched. For example

Event 4688 ... a process "cmd.exe" was launched
Event 4688 ... a process "word.exe" was launched
Event 4688 ... a process "notepad.exe" was launched
Event 4688 ... a process "abc.exe" was launched
Event 4688 ... a process "xyz.exe" was launched

My requirement is to only forward those events that are coming from a particular process say "notepad.exe" & ignore the other processes even though each one of them has same EVENT ID. Hope i am clear. Below is a snippet of the "Input" module from my nxlog.conf . How can i customize or filter my below code to filter on the process name "notepad.exe" that i want instead of sending every event 4688.

<Input in>
   	Module      im_msvistalog
    	ReadFromLast	True
	Query	<QueryList>\
                    	<Query Id="0">\
					       	<Select Path="Security">*[System[(EventID=4688]]</Select>\
			          	</Query>\
		</QueryList>
</Input>
Permalink
#2 b0ti Nxlog ✓
#1 Neeraj79
Hello, We are using NXLOG to forward our windows event viewer logs to our syslog server. On our Windows clients, we have enabled process auditing, so this logs 1000s of events for every process that gets launched and terminated. There is a common event ID - 4688 when a process gets created (launched) . If we launch 5 different programs/processes on the Windows client, this in turn creates 5 events each with the same event ID 4688 but the actual message in each event contains the name of the corresponding process or program that was launched. For example Event 4688 ... a process "cmd.exe" was launched Event 4688 ... a process "word.exe" was launched Event 4688 ... a process "notepad.exe" was launched Event 4688 ... a process "abc.exe" was launched Event 4688 ... a process "xyz.exe" was launched My requirement is to only forward those events that are coming from a particular process say "notepad.exe" & ignore the other processes even though each one of them has same EVENT ID. Hope i am clear. Below is a snippet of the "Input" module from my nxlog.conf . How can i customize or filter my below code to filter on the process name "notepad.exe" that i want instead of sending every event 4688. <Input in> Module im_msvistalog ReadFromLast True Query <QueryList>\ <Query Id="0">\ <Select Path="Security">*[System[(EventID=4688]]</Select>\ </Query>\ </QueryList> </Input> 
Exec if $ProcessName !~ /notepad\.exe/ drop();

You will need to figure out the exact field name but as far as I remember the above should be correct.
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS