Request trial
Request Trial

Collecting Event Viewer Logs (msvistalog), but oddly fails with error

Tags: msvistalog
#1 Pervon

I've amassed a number of EventIDs I think I want to monitor on my Win10 host. However, the error I'm receiving is:

    .\nxlog.exe -v
    
    INFO configuration OK

    .\nxlog.exe -f
    
     INFO nxlog-ce-2.10.2150 started
     ERROR failed to subscribe to msvistalog events using bookmark: the specified query is invalid.
     ERROR failed to subscribe to msvistalog events, the Query is invalid: This operator is unsupported by this implementaiton of the filter.; [error code: 15001]

The weird part is, when I remove multiple lines it works. However, when I test each line individually, it works. I assume there is a conflict between them (e.g. duplicate eventIDs). Below is the configuration and associated examples

Complete but fails .conf


    #NoFreeOnExit TRUE
    
    define ROOT	C:\Program Files (x86)\nxlog
    define CERTDIR	%ROOT%\cert
    define CONFDIR 	%ROOT%\conf
    define LOGDIR	%ROOT%\data
    define LOGFILE 	%LOGFILE%\nxlog.log
    LogFile %LOGFILE%
    
    Moduledir 	%ROOT%\modules
    CacheDir  	%ROOT%\data
    Pidfile		%ROOT%\data\nxlog.pid
    SpoolDir	%ROOT%\data
    
    <Extension gelf>
    	Module xm_gelf
    <Extension>
    
    <input eventlog>
    	Module im_msvistalog
    	<QueryXML>
    		<QueryList>
    			<Query Id='0'>
    				<Select Path='Security'>
    					(EventID=550) or
    					(EventID=612) or
    					(EventID=801) or
    					(EventID=1102) or
    					(EventID=1104) or
    					(EventID=1108) or
    					(EventID=4608) or
    					(EventID=4616) or
    					((EventID=4624) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) or
    					((EventID=4625) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) or
    					((EventID=4634) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10))) or
    					((EventID=4648) and (TargetDomainName="domain.net")) or
    					(EventID=4649) or
    					((EventID=4688) and (SubjectUserSid="/^S-1-5-21")) or
    					((EventID=4697) and ((ServiceName!="/^BluetoothUserService") and (ServiceName!="/^Vmware"))) or
    					((EventID=4698) and (SubjectUserSid="/^S-1-5-21")) or
    					(EventID=4699) or
    					(EventID=4704) or
    					(EventID=4717) or
    					(EventID=4719) or
    					(EventID=4720) or
    					(EventID=4726) or
    					(EventID=4740) or
    					(EventID=4765) or
    					(EventID=4766) or
    					(EventID=4794) or
    					(EventID=4897) or
    					(EventID=4946) or
    					(EventID=4948) or
    					(EventID=4950) or
    					(EventID=4964) or
    					(EventID=5024) or
    					(EventID=5025) or
    					(EventID=5030) or
    					(EventID=5124) or
    					((EventID=5140) and (ShareName!="\\*C$")) or
    					((EventID=5142) and ((ShareName!="\\*C$") or (ShareName!="\\*\ADMINISTRATOR$"))) or
    					(EventID=5148) or
    					(EventID=5149) or
    					(EventID=5154) or
    					(EventID=5155) or
    					(EventID=5156) or
    					(EventID=5157) or
    					(EventID=5158) or
    					(EventID=5159) or
    					(EventID=5376) or
    					(EventID=5379)
    				</Select>
    			</Query>
    		</QueryList>
    	</QueryXML>
    </Input>
    
    <Output graylog>
    	Module om_udp
    	Host 192.168.1.1
    	Port 55555
    	OutputType GELF_UDP
    </Output>
    
    <Route toGraylog>
    	Path eventlog => graylog
    </Route>

Cut out from above. Succeeds:

    <input eventlog>
    	Module im_msvistalog
    	<QueryXML>
    		<QueryList>
    			<Query Id='0'>
    				<Select Path='Security'>
    					(EventID=550) or
    					(EventID=612) or
    					(EventID=801) or
    					(EventID=1102) or
    					(EventID=1104) or
    					(EventID=1108) or
    					(EventID=4608) or
    					(EventID=4616) or
    					((EventID=4624) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11)))
    					((EventID=4625) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11)))
    					((EventID=4634) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10)))
    					((EventID=4648) and (TargetDomainName="domain.net")) or
    					(EventID=4649) or
    					((EventID=4688) and (SubjectUserSid="/^S-1-5-21")) or
    					((EventID=4697) and ((ServiceName!="/^BluetoothUserService") and (ServiceName!="/^Vmware"))) or
    					((EventID=4698) and (SubjectUserSid="/^S-1-5-21")) or
    					(EventID=4699) or
    					(EventID=4704) or
    					(EventID=4717) or
    					(EventID=4719) or
    					(EventID=4720) or
    					(EventID=4726) or
    					(EventID=4740) or
    					(EventID=4765) or
    					(EventID=4766) or
    					(EventID=4794) or
    					(EventID=4897) or
    					(EventID=4946) or
    					(EventID=4948) or
    					(EventID=4950) or
    					(EventID=4964) or
    					(EventID=5024) or
    					(EventID=5025) or
    					(EventID=5030) or
    					(EventID=5124) or
    					((EventID=5140) and (ShareName!="\\*C$")) or
    					((EventID=5142) and ((ShareName!="\\*C$") or (ShareName!="\\*\ADMINISTRATOR$"))) or
    					(EventID=5148) or
    					(EventID=5149) or
    					(EventID=5154) or
    					(EventID=5155) or
    					(EventID=5156) or
    					(EventID=5157) or
    					(EventID=5158) or
    					(EventID=5159) or
    					(EventID=5376) or
    					(EventID=5379)
    				</Select>
    			</Query>
    		</QueryList>
    	</QueryXML>
    </Input>

Fails:

    (EventID=4699) or
    (EventID=4704) or
    (EventID=4717) or
    (EventID=4719) or
    (EventID=4720) or
    (EventID=4726) or
    (EventID=4740) or
    (EventID=4765) or
    (EventID=4766) or
    (EventID=4794) or
    (EventID=4897) or
    (EventID=4946) or
    (EventID=4948) or
    (EventID=4950) or
    (EventID=4964) or
    (EventID=5024) or
    (EventID=5025) or
    (EventID=5030) or
    (EventID=5124) or
    (EventID=5148) or
    (EventID=5149) or
    (EventID=5154) or
    (EventID=5155) or
    (EventID=5156) or
    (EventID=5157) or
    (EventID=5158) or
    (EventID=5159) or
    (EventID=5376) or
    (EventID=5379)

Succeeds (Removed bottom 5):

    (EventID=4699) or
    (EventID=4704) or
    (EventID=4717) or
    (EventID=4719) or
    (EventID=4720) or
    (EventID=4726) or
    (EventID=4740) or
    (EventID=4765) or
    (EventID=4766) or
    (EventID=4794) or
    (EventID=4897) or
    (EventID=4946) or
    (EventID=4948) or
    (EventID=4950) or
    (EventID=4964) or
    (EventID=5024) or
    (EventID=5025) or
    (EventID=5030) or
    (EventID=5124) or
    (EventID=5148) or
    (EventID=5149) or
    (EventID=5154) or
    (EventID=5155) or
    (EventID=5156)

Succeeds (Added bottom 5 back and removed top 5):

    (EventID=4726) or
    (EventID=4740) or
    (EventID=4765) or
    (EventID=4766) or
    (EventID=4794) or
    (EventID=4897) or
    (EventID=4946) or
    (EventID=4948) or
    (EventID=4950) or
    (EventID=4964) or
    (EventID=5024) or
    (EventID=5025) or
    (EventID=5030) or
    (EventID=5124) or
    (EventID=5148) or
    (EventID=5149) or
    (EventID=5154) or
    (EventID=5155) or
    (EventID=5156) or
    (EventID=5157) or
    (EventID=5158) or
    (EventID=5159) or
    (EventID=5376) or
    (EventID=5379)

Thank you!

Permalink
#2 b0ti Nxlog ✓
#1 Pervon
I've amassed a number of EventIDs I think I want to monitor on my Win10 host. However, the error I'm receiving is: .\nxlog.exe -v INFO configuration OK .\nxlog.exe -f INFO nxlog-ce-2.10.2150 started ERROR failed to subscribe to msvistalog events using bookmark: the specified query is invalid. ERROR failed to subscribe to msvistalog events, the Query is invalid: This operator is unsupported by this implementaiton of the filter.; [error code: 15001] The weird part is, when I remove multiple lines it works. However, when I test each line individually, it works. I assume there is a conflict between them (e.g. duplicate eventIDs). Below is the configuration and associated examples Complete but fails .conf #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGFILE%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension gelf> Module xm_gelf <Extension> <input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Security'> (EventID=550) or (EventID=612) or (EventID=801) or (EventID=1102) or (EventID=1104) or (EventID=1108) or (EventID=4608) or (EventID=4616) or ((EventID=4624) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) or ((EventID=4625) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) or ((EventID=4634) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10))) or ((EventID=4648) and (TargetDomainName="domain.net")) or (EventID=4649) or ((EventID=4688) and (SubjectUserSid="/^S-1-5-21")) or ((EventID=4697) and ((ServiceName!="/^BluetoothUserService") and (ServiceName!="/^Vmware"))) or ((EventID=4698) and (SubjectUserSid="/^S-1-5-21")) or (EventID=4699) or (EventID=4704) or (EventID=4717) or (EventID=4719) or (EventID=4720) or (EventID=4726) or (EventID=4740) or (EventID=4765) or (EventID=4766) or (EventID=4794) or (EventID=4897) or (EventID=4946) or (EventID=4948) or (EventID=4950) or (EventID=4964) or (EventID=5024) or (EventID=5025) or (EventID=5030) or (EventID=5124) or ((EventID=5140) and (ShareName!="\\*C$")) or ((EventID=5142) and ((ShareName!="\\*C$") or (ShareName!="\\*\ADMINISTRATOR$"))) or (EventID=5148) or (EventID=5149) or (EventID=5154) or (EventID=5155) or (EventID=5156) or (EventID=5157) or (EventID=5158) or (EventID=5159) or (EventID=5376) or (EventID=5379) </Select> </Query> </QueryList> </QueryXML> </Input> <Output graylog> Module om_udp Host 192.168.1.1 Port 55555 OutputType GELF_UDP </Output> <Route toGraylog> Path eventlog => graylog </Route> Cut out from above. Succeeds: <input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Security'> (EventID=550) or (EventID=612) or (EventID=801) or (EventID=1102) or (EventID=1104) or (EventID=1108) or (EventID=4608) or (EventID=4616) or ((EventID=4624) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) ((EventID=4625) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) ((EventID=4634) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10))) ((EventID=4648) and (TargetDomainName="domain.net")) or (EventID=4649) or ((EventID=4688) and (SubjectUserSid="/^S-1-5-21")) or ((EventID=4697) and ((ServiceName!="/^BluetoothUserService") and (ServiceName!="/^Vmware"))) or ((EventID=4698) and (SubjectUserSid="/^S-1-5-21")) or (EventID=4699) or (EventID=4704) or (EventID=4717) or (EventID=4719) or (EventID=4720) or (EventID=4726) or (EventID=4740) or (EventID=4765) or (EventID=4766) or (EventID=4794) or (EventID=4897) or (EventID=4946) or (EventID=4948) or (EventID=4950) or (EventID=4964) or (EventID=5024) or (EventID=5025) or (EventID=5030) or (EventID=5124) or ((EventID=5140) and (ShareName!="\\*C$")) or ((EventID=5142) and ((ShareName!="\\*C$") or (ShareName!="\\*\ADMINISTRATOR$"))) or (EventID=5148) or (EventID=5149) or (EventID=5154) or (EventID=5155) or (EventID=5156) or (EventID=5157) or (EventID=5158) or (EventID=5159) or (EventID=5376) or (EventID=5379) </Select> </Query> </QueryList> </QueryXML> </Input> Fails: (EventID=4699) or (EventID=4704) or (EventID=4717) or (EventID=4719) or (EventID=4720) or (EventID=4726) or (EventID=4740) or (EventID=4765) or (EventID=4766) or (EventID=4794) or (EventID=4897) or (EventID=4946) or (EventID=4948) or (EventID=4950) or (EventID=4964) or (EventID=5024) or (EventID=5025) or (EventID=5030) or (EventID=5124) or (EventID=5148) or (EventID=5149) or (EventID=5154) or (EventID=5155) or (EventID=5156) or (EventID=5157) or (EventID=5158) or (EventID=5159) or (EventID=5376) or (EventID=5379) Succeeds (Removed bottom 5): (EventID=4699) or (EventID=4704) or (EventID=4717) or (EventID=4719) or (EventID=4720) or (EventID=4726) or (EventID=4740) or (EventID=4765) or (EventID=4766) or (EventID=4794) or (EventID=4897) or (EventID=4946) or (EventID=4948) or (EventID=4950) or (EventID=4964) or (EventID=5024) or (EventID=5025) or (EventID=5030) or (EventID=5124) or (EventID=5148) or (EventID=5149) or (EventID=5154) or (EventID=5155) or (EventID=5156) Succeeds (Added bottom 5 back and removed top 5): (EventID=4726) or (EventID=4740) or (EventID=4765) or (EventID=4766) or (EventID=4794) or (EventID=4897) or (EventID=4946) or (EventID=4948) or (EventID=4950) or (EventID=4964) or (EventID=5024) or (EventID=5025) or (EventID=5030) or (EventID=5124) or (EventID=5148) or (EventID=5149) or (EventID=5154) or (EventID=5155) or (EventID=5156) or (EventID=5157) or (EventID=5158) or (EventID=5159) or (EventID=5376) or (EventID=5379) Thank you!

The XPath within QueryXML is passed to the EventLog API as-is, and the error message also comes from MS code. We believe there is a length limitation for the XPath query.
See the Filtering Events section for more information about this.
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS