Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.

Windows event logging
Forgive my ignorance but I'm looking to use NX Log to capture all windows events under System, Application and Security whether they be Audit, Info, error or critical. Am I correct in my assumption that with no filter's it should collect everything?
    <Select Path='Application'>*</Select>
        <Select Path='Security'>*</Select>
        <Select Path='System'>*</Select>
or do I need to specify on single lines each severity level? for example:
    <Select Path='Application'>*[System/Level=4]</Select>
    <Select Path='Application'>*[System/Level=3]</Select>
    <Select Path='Application'>*[System/Level=2]</Select>

and so on?


scotty
Replies: 1
View post »
gahorvath
Nxlog CE agent forwarding all Windows Events despite the query level filter
Hello everybody,
I'm trying to filter Windows events log with severity/level only from warning to critical, so from level 1 to 3.

Unfortunately, I tried several configurations, but the agent is still forwarding all the events. Like if there were no filters.

My specifications are, Nxlog CE Agent (version 2.10.2102) on a Windows 10 64 bits build 1803 with this conf :

       Panic Soft

    define ROOT     C:\Program Files (x86)\nxlog
    define CERTDIR  %ROOT%\cert
    define CONFDIR  %ROOT%\conf
    define LOGDIR   %ROOT%\data
    define LOGFILE  %LOGDIR%\nxlog.log
    LogFile %LOGFILE%

    Moduledir %ROOT%\modules
    CacheDir  %ROOT%\data
    Pidfile   %ROOT%\data\nxlog.pid
    SpoolDir  %ROOT%\data

    <Extension _syslog>
        Module      xm_syslog
    </Extension>

    <Input eventlog>
     Module im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id='0'>
                <Select Path='Application'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
                <Select Path='Security'>*[System[(Level=1)]]</Select>
                <Select Path='Setup'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
                <Select Path='System'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
            </Query>
        </QueryList>
    </QueryXML>
    </Input>

    <Processor buffer>
    Module pm_buffer
    MaxSize 102400
    Type disk
    </Processor>

    <Output out>
        Module  om_tcp
        Host    X.X.X.X
        Port    514
        Exec    to_syslog_snare();
    </Output>

    <Route 1>
     Path eventlog => buffer => out
    </Route>

Am I missing something? Did something change recently in the syntax?

Thanks for your help.

Best regards :)

Olistra
Replies: 2
View post »
Olistra
Nxlog syntax for capturing Windows Event Viewer logs
Hello,
I am using NXLOG to capture windows event viewer logs .  I have below requirements  
(1) Forward Event ID 4624  events   
(2) Forward Event ID 4689 events only for a specific process name (say notepad.exe) . By default 4689 is common to many processes.  

Both of the above events are from "Security" category of Event Viewer.  If i use below syntax, it does not work . I am guessing this is because i have repeated "Select Path = Security" twice with the same query ID.  How can i configure both of the above filters together in my QUERY block ? 

Query \
\
\
\
\



Do i need to define 2 separate QUERY blocks one with ID=0 & other with ID =1 like this ?

Query \
\
\
\
\
\
\


Neeraj79
Replies: 1
View post »
b0ti
How to forward Event ID's for specific process names
Hello,
We are using NXLOG to forward our windows event viewer logs to our syslog server. On our Windows clients, we have enabled process auditing, so this logs 1000s of events for every process that gets launched and terminated. There is a common event ID - 4688 when a process gets created (launched) .  If we launch 5 different programs/processes on the Windows client, this in turn creates 5 events each with the same event ID 4688 but the actual message in each event contains the  name of the corresponding process or program that was launched. For example

Event 4688 ... a process "cmd.exe" was launched  
Event 4688 ... a process "word.exe" was launched  
Event 4688 ... a process "notepad.exe" was launched  
Event 4688 ... a process "abc.exe" was launched   
Event 4688 ... a process "xyz.exe" was launched  

 My requirement is to only forward those events that are coming from a particular process say  "notepad.exe"  & ignore the other processes even though each one of them has same EVENT ID.   Hope i am clear.   Below is a snippet of the "Input" module from my nxlog.conf  .  How can i customize or filter my below code to filter on the process name "notepad.exe" that i want instead of sending every event 4688.  



    <Input in>
        Module      im_msvistalog
            ReadFromLast    True
        Query   <QueryList>\
                            <Query Id="0">\
                                <Select Path="Security">*[System[(EventID=4688]]</Select>\
                            </Query>\
            </QueryList>
    </Input>



Neeraj79
Replies: 1
View post »
Neeraj79
NXLog SeverityValue for Windows Events
<p>When NXLog ships a Windows event, it appears to be changing the Windows original severity level,&nbsp;and replacing it with SeverityValue and Severity with different values. &nbsp; What is the mapping of these values? &nbsp;If Windows has severity values, with "Level" being 4 for Information, 3 for Warning, 2 for Error and 1 for Critical, what is the nxlog created SeverityValue?</p>

<p>&nbsp;</p>

<p>Also, I couldn't find an explaination of why this value is changing. &nbsp;</p>


cybergoof
Replies: 1
View post »
cybergoof