Windows Event Logs filter by Account Name
Hi guys,
I must forwarding some logs, but only of some users. this's my current configuration.
Panic Soft #NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data
<Extension _syslog> Module xm_syslog </Extension>
<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>
<Extension _exec> Module xm_exec </Extension>
<Extension _fileop> Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
<Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Security'>*[System[(EventID=4720 or EventID=4634 or EventID=4625 or EventID=4624 or EventID=4726)]]</Select> </Query> </QueryList> </QueryXML> Exec $Message = 'EventID: ' + $EventID +' Source: '+ $IpAddress + ' Username: ' + $TargetUserName ; </Input>
<Output tcp> Module om_udp Host xx.xxx.xx.xxx Port xxx Exec to_syslog_bsd(); </Output>
<Route eventlog_to_tcp> Path eventlog => tcp </Route>
can you help me? thank you
Hello,
You need to provide the list of names to be included in the forwarding process - if you don't mind the list being hard-coded in the conf file, you may simply make put it as:
define SELECTED_USERS 'user1', 'user2',...
And then, add simple filtering, adding cause in a proper place:
Exec if $TargetUserName NOT IN %SELECTED_USERS% drop();
You might find some inspiration in im_msvistalog docs
Regards,
Rafal
