Official NXlog conf Mistake ? MS AD Security Events don't match Channel
Hi , I'm not sure if this is NXLog Conf mistake, or I misunderstood it. The official NXLog conf file: https://nxlog.co/documentation/nxlog-user-guide/ad-domain-controller.html
The events IDs included in the conf file, seems to be found in Domain Controller, -> Event Viewer -> Windows Logs ->Security.
But in conf file below, NXlog is trying to look for these events in "Directory Service" , with [System[Provider[ @Name='Microsoft-Windows-ActiveDirectory_DomainService']]]
I did a test and seems in "Directory Service" there is almost 0 events that listed in "HighEvents Ids", "MediumEventIds" and "LowEventIds" .
Can someone tell me if this is an mistake in the offical Nxlog conf file ?, or I'm misunderstaning the conf file configuration ?
Thanks
define HighEventIds 4618, 4649, 4719, 4765, 4766, 4794, 4897, 4964, 5124, 1102
define MediumEventIds 4621, 4675, 4692, 4693, 4706, 4713, 4714, 4715, 4716, 4724,
4727, 4735, 4737, 4739, 4754, 4755, 4764, 4764, 4780, 4816,
4865, 4866, 4867, 4868, 4870, 4882, 4885, 4890, 4892, 4896,
4906, 4907, 4908, 4912, 4960, 4961, 4962, 4963, 4965, 4976,
4977, 4978, 4983, 4984, 5027, 5028, 5029, 5030, 5035, 5037,
5038, 5120, 5121, 5122, 5123, 5376, 5377, 5453, 5480, 5483,
5484, 5485, 6145, 6273, 6274, 6275, 6276, 6277, 6278, 6279,
6280, 24586, 24592, 24593, 24594
define LowEventIds 4608, 4609, 4610, 4611, 4612, 4614, 4615, 4616, 4624, 4625,
4634, 4647, 4648, 4656, 4657, 4658, 4660, 4661, 4662, 4663,
4672, 4673, 4674, 4688, 4689, 4690, 4691, 4696, 4697, 4698,
4699, 4700, 4701, 4702, 4704, 4705, 4707, 4717, 4718, 4720,
4722, 4723, 4725, 4726, 4728, 4729, 4730, 4731, 4732, 4733,
4734, 4738, 4740, 4741, 4742, 4743, 4744, 4745, 4746, 4747,
4748, 4749, 4750, 4751, 4752, 4753, 4756, 4757, 4758, 4759,
4760, 4761, 4762, 4767, 4768, 4769, 4770, 4771, 4772, 4774,
4775, 4776, 4778, 4779, 4781, 4783, 4785, 4786, 4787, 4788,
4789, 4790, 4869, 4871, 4872, 4873, 4874, 4875, 4876, 4877,
4878, 4879, 4880, 4881, 4883, 4884, 4886, 4887, 4888, 4889,
4891, 4893, 4894, 4895, 4898, 5136, 5137
<Input events> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0" Path="Directory Service"> <Select Path="Directory Service">*[System[Provider[ @Name='Microsoft-Windows-ActiveDirectory_DomainService']]] </Select> </Query> </QueryList> </QueryXML> <Exec> if ($EventID NOT IN (%HighEventIds%)) and ($EventID NOT IN (%MediumEventIds%)) and ($EventID NOT IN (%LowEventIds%)) drop(); </Exec> </Input>
Hello,
Couple of questions:
- Which version of NXLog do you use? Just FYI: you're referring to the EE docs.
- On what Windows version are you working?
- Do you have anything interesting in your
nxlog.log
file (or whatever you named it)?
Thanks,
Rafal