Request trial
Request Trial

How can I collect Active Directory Domain Service events and DNS events with Nxlog?

Tags: nxlog.conf
#1 artvandelay05

My problem is I cannot collect ADDS or DNS events with Nxlog and send them to an ELK server. In the Nxlog config for the DC and DNS server I have the following Query

<QueryList>\
  <Query Id="0">\
     <Select Path="Security">*</Select>\
     <Suppress Path="Security">*[System[(EventID=4624 or EventID=4776 or EventID=4634 or EventID=4672 or EventID=4688 or EventID=4769)]]</Suppress>\
     <Select Path="System">*[System/Level=2]</Select>\
     <Select Path="Microsoft-Windows-ActiveDirectory_DomainService">*</Select>\
     <Select Path="Microsoft-Windows-DNS-Server-Service">*</Select>\
  </Query>\
</QueryList>

The config file works correctly without the Active Directory and DNS paths. The desired Security and System logs go to ELK correctly. I have also tried leaving only the ADDS or DNS paths in the config file with no luck. I don't think I have the correct paths for ADDS and DNS in the config and that is my problem. My Google-fu and Bing-fu hasn't found any results giving me the Event ID channel for ADDS and DNS events. I've only found the Event ID channels for Application, Security, System, and Setup. Any suggestions? I'm up for any!

The DC\DNS server and the ELK server are running on Windows Server 2012. ELK install is running the latest stable releases of ELK.

Thanks!

Permalink
#2 adm Nxlog ✓ (Last updated )
#1 artvandelay05
My problem is I cannot collect ADDS or DNS events with Nxlog and send them to an ELK server. In the Nxlog config for the DC and DNS server I have the following Query <QueryList>\ <Query Id="0">\ <Select Path="Security">*</Select>\ <Suppress Path="Security">*[System[(EventID=4624 or EventID=4776 or EventID=4634 or EventID=4672 or EventID=4688 or EventID=4769)]]</Suppress>\ <Select Path="System">*[System/Level=2]</Select>\ <Select Path="Microsoft-Windows-ActiveDirectory_DomainService">*</Select>\ <Select Path="Microsoft-Windows-DNS-Server-Service">*</Select>\ </Query>\ </QueryList> The config file works correctly without the Active Directory and DNS paths. The desired Security and System logs go to ELK correctly. I have also tried leaving only the ADDS or DNS paths in the config file with no luck. I don't think I have the correct paths for ADDS and DNS in the config and that is my problem. My Google-fu and Bing-fu hasn't found any results giving me the Event ID channel for ADDS and DNS events. I've only found the Event ID channels for Application, Security, System, and Setup. Any suggestions? I'm up for any! The DC\DNS server and the ELK server are running on Windows Server 2012. ELK install is running the latest stable releases of ELK. Thanks!

If you create a filter in event viewer and click on the XML tab, the XML can be copied to the Query directive. Just make sure to add a backslash after each line.
See here: http://blogs.technet.com/b/kfalde/archive/2014/03/25/xpath-event-log-filtering.aspx

 
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS