Request trial
Request Trial

Filter type in windows event log

Tags:
#1 anvers

Hi All, I wanted to see if I could get help with a filter for windows events. I want to get all the "security" events except those that have a word with .tmp inside, For example:

ObjectName F:\Personal\Battista\14FC4253.tmp

With the user help in chat i try with this config but doesnt work:

This is a sample configuration file. See the nxlog reference manual about the

configuration options. It should be installed locally and is also available

online at http://nxlog.org/docs/

Please set the ROOT to the folder your nxlog was installed into,

otherwise it will not start.

#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension _gelf> #Module xm_syslog Module xm_gelf #Module xm_json </Extension>

<Input in1> Module im_msvistalog

Uncomment the following to collect specific event logs only

 Query &lt;QueryList&gt;\
           &lt;Query Id=&quot;0&quot;&gt;\
              &lt;Select Path=&quot;Application&quot;&gt;*&lt;/Select&gt;\
              &lt;Select Path=&quot;System&quot;&gt;*&lt;/Select&gt;\
              &lt;Select Path=&quot;Security&quot;&gt;*&lt;/Select&gt;\
           &lt;/Query&gt;\
       &lt;/QueryList&gt;
&lt;Exec&gt;
    if $Channel == 'Security' and $ObjectName =~ /.tmp/ drop();
&lt;/Exec&gt;

</Input>

<Output out> Module om_udp Host 172.20.5.32 Port 12201 #Exec to_syslog_snare(); OutputType GELF </Output>

<Route 1> Path in1 => out </Route>

THanks !

Permalink
#3 b0ti Nxlog ✓
#1 anvers
Hi All, I wanted to see if I could get help with a filter for windows events. I want to get all the "security" events except those that have a word with .tmp inside, For example: ObjectName F:\Personal\Battista\14FC4253.tmp With the user help in chat i try with this config but doesnt work: This is a sample configuration file. See the nxlog reference manual about the configuration options. It should be installed locally and is also available online at http://nxlog.org/docs/ Please set the ROOT to the folder your nxlog was installed into, otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _gelf> #Module xm_syslog Module xm_gelf #Module xm_json </Extension> <Input in1> Module im_msvistalog Uncomment the following to collect specific event logs only Query &lt;QueryList&gt;\ &lt;Query Id=&quot;0&quot;&gt;\ &lt;Select Path=&quot;Application&quot;&gt;*&lt;/Select&gt;\ &lt;Select Path=&quot;System&quot;&gt;*&lt;/Select&gt;\ &lt;Select Path=&quot;Security&quot;&gt;*&lt;/Select&gt;\ &lt;/Query&gt;\ &lt;/QueryList&gt; &lt;Exec&gt; if $Channel == 'Security' and $ObjectName =~ /.tmp/ drop(); &lt;/Exec&gt; </Input> <Output out> Module om_udp Host 172.20.5.32 Port 12201 #Exec to_syslog_snare(); OutputType GELF </Output> <Route 1> Path in1 => out </Route> THanks !

but doesnt work

This is an awful lot of information to help you out!
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS