Official NXlog conf Mistake ? MS AD Security Events don't match Channel

Tags:

#1 RC_170741

Hi , I'm not sure if this is NXLog Conf mistake, or I misunderstood it. The official NXLog conf file: https://nxlog.co/documentation/nxlog-user-guide/ad-domain-controller.html

The events IDs included in the conf file, seems to be found in Domain Controller, -> Event Viewer -> Windows Logs ->Security.

But in conf file below, NXlog is trying to look for these events in "Directory Service" , with [System[Provider[ @Name='Microsoft-Windows-ActiveDirectory_DomainService']]]

I did a test and seems in "Directory Service" there is almost 0 events that listed in "HighEvents Ids", "MediumEventIds" and "LowEventIds" .

Can someone tell me if this is an mistake in the offical Nxlog conf file ?, or I'm misunderstaning the conf file configuration ?

Thanks

define HighEventIds 4618, 4649, 4719, 4765, 4766, 4794, 4897, 4964, 5124, 1102

define MediumEventIds 4621, 4675, 4692, 4693, 4706, 4713, 4714, 4715, 4716, 4724,
4727, 4735, 4737, 4739, 4754, 4755, 4764, 4764, 4780, 4816,
4865, 4866, 4867, 4868, 4870, 4882, 4885, 4890, 4892, 4896,
4906, 4907, 4908, 4912, 4960, 4961, 4962, 4963, 4965, 4976,
4977, 4978, 4983, 4984, 5027, 5028, 5029, 5030, 5035, 5037,
5038, 5120, 5121, 5122, 5123, 5376, 5377, 5453, 5480, 5483,
5484, 5485, 6145, 6273, 6274, 6275, 6276, 6277, 6278, 6279,
6280, 24586, 24592, 24593, 24594

define LowEventIds 4608, 4609, 4610, 4611, 4612, 4614, 4615, 4616, 4624, 4625,
4634, 4647, 4648, 4656, 4657, 4658, 4660, 4661, 4662, 4663,
4672, 4673, 4674, 4688, 4689, 4690, 4691, 4696, 4697, 4698,
4699, 4700, 4701, 4702, 4704, 4705, 4707, 4717, 4718, 4720,
4722, 4723, 4725, 4726, 4728, 4729, 4730, 4731, 4732, 4733,
4734, 4738, 4740, 4741, 4742, 4743, 4744, 4745, 4746, 4747,
4748, 4749, 4750, 4751, 4752, 4753, 4756, 4757, 4758, 4759,
4760, 4761, 4762, 4767, 4768, 4769, 4770, 4771, 4772, 4774,
4775, 4776, 4778, 4779, 4781, 4783, 4785, 4786, 4787, 4788,
4789, 4790, 4869, 4871, 4872, 4873, 4874, 4875, 4876, 4877,
4878, 4879, 4880, 4881, 4883, 4884, 4886, 4887, 4888, 4889,
4891, 4893, 4894, 4895, 4898, 5136, 5137

<Input events> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0" Path="Directory Service"> <Select Path="Directory Service">*[System[Provider[ @Name='Microsoft-Windows-ActiveDirectory_DomainService']]] </Select> </Query> </QueryList> </QueryXML> <Exec> if ($EventID NOT IN (%HighEventIds%)) and ($EventID NOT IN (%MediumEventIds%)) and ($EventID NOT IN (%LowEventIds%)) drop(); </Exec> </Input>

#2 rafDeactivated Nxlog ✓
#1 RC_170741
Hi , I'm not sure if this is NXLog Conf mistake, or I misunderstood it. The official NXLog conf file: https://nxlog.co/documentation/nxlog-user-guide/ad-domain-controller.html The events IDs included in the conf file, seems to be found in Domain Controller, -> Event Viewer -> Windows Logs ->Security. But in conf file below, NXlog is trying to look for these events in "Directory Service" , with [System[Provider[ @Name='Microsoft-Windows-ActiveDirectory_DomainService']]] I did a test and seems in "Directory Service" there is almost 0 events that listed in "HighEvents Ids", "MediumEventIds" and "LowEventIds" . Can someone tell me if this is an mistake in the offical Nxlog conf file ?, or I'm misunderstaning the conf file configuration ? Thanks define HighEventIds 4618, 4649, 4719, 4765, 4766, 4794, 4897, 4964, 5124, 1102 define MediumEventIds 4621, 4675, 4692, 4693, 4706, 4713, 4714, 4715, 4716, 4724, 4727, 4735, 4737, 4739, 4754, 4755, 4764, 4764, 4780, 4816, 4865, 4866, 4867, 4868, 4870, 4882, 4885, 4890, 4892, 4896, 4906, 4907, 4908, 4912, 4960, 4961, 4962, 4963, 4965, 4976, 4977, 4978, 4983, 4984, 5027, 5028, 5029, 5030, 5035, 5037, 5038, 5120, 5121, 5122, 5123, 5376, 5377, 5453, 5480, 5483, 5484, 5485, 6145, 6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280, 24586, 24592, 24593, 24594 define LowEventIds 4608, 4609, 4610, 4611, 4612, 4614, 4615, 4616, 4624, 4625, 4634, 4647, 4648, 4656, 4657, 4658, 4660, 4661, 4662, 4663, 4672, 4673, 4674, 4688, 4689, 4690, 4691, 4696, 4697, 4698, 4699, 4700, 4701, 4702, 4704, 4705, 4707, 4717, 4718, 4720, 4722, 4723, 4725, 4726, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4738, 4740, 4741, 4742, 4743, 4744, 4745, 4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4756, 4757, 4758, 4759, 4760, 4761, 4762, 4767, 4768, 4769, 4770, 4771, 4772, 4774, 4775, 4776, 4778, 4779, 4781, 4783, 4785, 4786, 4787, 4788, 4789, 4790, 4869, 4871, 4872, 4873, 4874, 4875, 4876, 4877, 4878, 4879, 4880, 4881, 4883, 4884, 4886, 4887, 4888, 4889, 4891, 4893, 4894, 4895, 4898, 5136, 5137 <Input events> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0" Path="Directory Service"> <Select Path="Directory Service">*[System[Provider[ @Name='Microsoft-Windows-ActiveDirectory_DomainService']]] </Select> </Query> </QueryList> </QueryXML> <Exec> if ($EventID NOT IN (%HighEventIds%)) and ($EventID NOT IN (%MediumEventIds%)) and ($EventID NOT IN (%LowEventIds%)) drop(); </Exec> </Input>

Hello,

Couple of questions:

  1. Which version of NXLog do you use? Just FYI: you're referring to the EE docs.
  2. On what Windows version are you working?
  3. Do you have anything interesting in your nxlog.log file (or whatever you named it)?

Thanks,

Rafal