Drop Win Event message based on text file content
#1
habrosec
I'm attempting to use NXLog (community edition atm) to read in active directory logs into NXLog and output to syslog/json. I have a text file (one username per line) that I need to be able to compare to the username in the Windows event logs from AD. I need to be able to drop messages that the username in the Windows AD Event logs if it matches a username in the text file of usernames.
I've spent quite a bit of time googling and reading documentation and haven't found a method to achieve this. Can anyone assit?
#1
habrosec
I'm attempting to use NXLog (community edition atm) to read in active directory logs into NXLog and output to syslog/json. I have a text file (one username per line) that I need to be able to compare to the username in the Windows event logs from AD. I need to be able to drop messages that the username in the Windows AD Event logs if it matches a username in the text file of usernames.
I've spent quite a bit of time googling and reading documentation and haven't found a method to achieve this. Can anyone assit?
Unfortunately I can't think of a solution using the CE but the xm_filelist module in the NXLog EE allows you to do this, e.g.:
Exec if mylist->matches($AcountName) drop();
