Windows Eventlog string filter
Tags:
#1
TI_825837
OS:Windows server 2016
NXlog:CE-2.10.2150
I want to filter the Windows event log message string ("Test_Message"). ..
It doesn't work. Please tell me what's wrong
[nxlog.conf]
```
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension charconv>
Module xm_charconv
AutodetectCharsets shift_jis, utf-8
</Extension>
###################################
# define input
###################################
define SystemError 10016, 10028, 36882
<Input in_eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[(Level=1 or Level=2)]]</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
if ($EventID IN (%SystemError%) and
($Data == ’Test_Message’)
) drop();
</Exec>
Exec convert_fields("shift_jis", "utf-8");
</Input>
###################################
# difine output
###################################
<Output out_eventlog>
Module om_udp
Host **********
Port 514
</Output>
###################################
# Route monitor
###################################
<Route route>
Path in_eventlog => out_eventlog
</Route>
```
[Windows Eventlog]※XML
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="EventLog" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-09-09T01:41:53.762804400Z" />
<EventRecordID>16834</EventRecordID>
<Channel>System</Channel>
<Computer>sv-otebk.ads.nttdata.co.jp</Computer>
<Security />
</System>
- <EventData>
<Data>Test_Message</Data>
</EventData>
</Event>
NXlog:CE-2.10.2150
I want to filter the Windows event log message string ("Test_Message"). ..
It doesn't work. Please tell me what's wrong
[nxlog.conf]
```
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension charconv>
Module xm_charconv
AutodetectCharsets shift_jis, utf-8
</Extension>
###################################
# define input
###################################
define SystemError 10016, 10028, 36882
<Input in_eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[(Level=1 or Level=2)]]</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
if ($EventID IN (%SystemError%) and
($Data == ’Test_Message’)
) drop();
</Exec>
Exec convert_fields("shift_jis", "utf-8");
</Input>
###################################
# difine output
###################################
<Output out_eventlog>
Module om_udp
Host **********
Port 514
</Output>
###################################
# Route monitor
###################################
<Route route>
Path in_eventlog => out_eventlog
</Route>
```
[Windows Eventlog]※XML
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="EventLog" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-09-09T01:41:53.762804400Z" />
<EventRecordID>16834</EventRecordID>
<Channel>System</Channel>
<Computer>sv-otebk.ads.nttdata.co.jp</Computer>
<Security />
</System>
- <EventData>
<Data>Test_Message</Data>
</EventData>
</Event>
#1
TI_825837
OS:Windows server 2016
NXlog:CE-2.10.2150
I want to filter the Windows event log message string ("Test_Message"). ..
It doesn't work. Please tell me what's wrong
[nxlog.conf]
<br/>Panic Soft <br/>#NoFreeOnExit TRUE <br/> <br/>define ROOT C:\Program Files (x86)\nxlog <br/>define CERTDIR %ROOT%\cert <br/>define CONFDIR %ROOT%\conf <br/>define LOGDIR %ROOT%\data <br/>define LOGFILE %LOGDIR%\nxlog.log <br/>LogFile %LOGFILE% <br/> <br/>Moduledir %ROOT%\modules <br/>CacheDir %ROOT%\data <br/>Pidfile %ROOT%\data\nxlog.pid <br/>SpoolDir %ROOT%\data <br/> <br/><Extension _syslog> <br/> Module xm_syslog <br/></Extension> <br/> <br/> <br/><Extension charconv> <br/> Module xm_charconv <br/> AutodetectCharsets shift_jis, utf-8 <br/></Extension> <br/> <br/>################################### <br/># define input <br/>################################### <br/>define SystemError 10016, 10028, 36882 <br/> <br/><Input in_eventlog> <br/> Module im_msvistalog <br/> <QueryXML> <br/> <QueryList> <br/> <Query Id="0" Path="Application"> <br/> <Select Path="Application">*[System[(Level=1 or Level=2)]]</Select> <br/> </Query> <br/></QueryList> <br/> </QueryXML> <br/> <br/><Exec> <br/> if ($EventID IN (%SystemError%) and <br/> ($Data == ’Test_Message’) <br/> ) drop(); <br/></Exec> <br/>Exec convert_fields("shift_jis", "utf-8"); <br/></Input> <br/>################################### <br/># difine output <br/>################################### <br/><Output out_eventlog> <br/> Module om_udp <br/> Host ********** <br/> Port 514 <br/></Output> <br/> <br/>################################### <br/># Route monitor <br/>################################### <br/><Route route> <br/> Path in_eventlog => out_eventlog <br/></Route> <br/>
[Windows Eventlog]※XML
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="EventLog" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-09-09T01:41:53.762804400Z" />
<EventRecordID>16834</EventRecordID>
<Channel>System</Channel>
<Computer>sv-otebk.ads.nttdata.co.jp</Computer>
<Security />
</System>
- <EventData>
<Data>Test_Message</Data>
</EventData>
</Event>
Hello,
Seems your <Data> in <EventData> has bad structure - no field name is provided. For list of supported by im_msvistalog fields, please refer to https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#im_msvistalog_fields
Regards,
Rafal
