Let's Talk
Let's Talk

Windows Eventlog string filter

Tags:
#1 TI_825837

OS:Windows server 2016
NXlog:CE-2.10.2150

I want to filter the Windows event log message string ("Test_Message"). ..
It doesn't work. Please tell me what's wrong

[nxlog.conf]
<br/>Panic Soft <br/>#NoFreeOnExit TRUE <br/> <br/>define ROOT C:\Program Files (x86)\nxlog <br/>define CERTDIR %ROOT%\cert <br/>define CONFDIR %ROOT%\conf <br/>define LOGDIR %ROOT%\data <br/>define LOGFILE %LOGDIR%\nxlog.log <br/>LogFile %LOGFILE% <br/> <br/>Moduledir %ROOT%\modules <br/>CacheDir %ROOT%\data <br/>Pidfile %ROOT%\data\nxlog.pid <br/>SpoolDir %ROOT%\data <br/> <br/>&lt;Extension _syslog&gt; <br/> Module xm_syslog <br/>&lt;/Extension&gt; <br/> <br/> <br/>&lt;Extension charconv&gt; <br/> Module xm_charconv <br/> AutodetectCharsets shift_jis, utf-8 <br/>&lt;/Extension&gt; <br/> <br/>################################### <br/># define input <br/>################################### <br/>define SystemError 10016, 10028, 36882 <br/> <br/>&lt;Input in_eventlog&gt; <br/> Module im_msvistalog <br/> &lt;QueryXML&gt; <br/> &lt;QueryList&gt; <br/> &lt;Query Id=&quot;0&quot; Path=&quot;Application&quot;&gt; <br/> &lt;Select Path=&quot;Application&quot;&gt;*[System[(Level=1 or Level=2)]]&lt;/Select&gt; <br/> &lt;/Query&gt; <br/>&lt;/QueryList&gt; <br/> &lt;/QueryXML&gt; <br/> <br/>&lt;Exec&gt; <br/> if ($EventID IN (%SystemError%) and <br/> ($Data == &rsquo;Test_Message&rsquo;) <br/> ) drop(); <br/>&lt;/Exec&gt; <br/>Exec convert_fields(&quot;shift_jis&quot;, &quot;utf-8&quot;); <br/>&lt;/Input&gt; <br/>################################### <br/># difine output <br/>################################### <br/>&lt;Output out_eventlog&gt; <br/> Module om_udp <br/> Host ********** <br/> Port 514 <br/>&lt;/Output&gt; <br/> <br/>################################### <br/># Route monitor <br/>################################### <br/>&lt;Route route&gt; <br/> Path in_eventlog =&gt; out_eventlog <br/>&lt;/Route&gt; <br/>

[Windows Eventlog]※XML
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="EventLog" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-09-09T01:41:53.762804400Z" />
<EventRecordID>16834</EventRecordID>
<Channel>System</Channel>
<Computer>sv-otebk.ads.nttdata.co.jp</Computer>
<Security />
</System>
- <EventData>
<Data>Test_Message</Data>
</EventData>
</Event>

Permalink
#2 rafDeactivated Nxlog ✓
#1 TI_825837
OS:Windows server 2016 NXlog:CE-2.10.2150 I want to filter the Windows event log message string ("Test_Message"). .. It doesn't work. Please tell me what's wrong [nxlog.conf] <br/>Panic Soft <br/>#NoFreeOnExit TRUE <br/> <br/>define ROOT C:\Program Files (x86)\nxlog <br/>define CERTDIR %ROOT%\cert <br/>define CONFDIR %ROOT%\conf <br/>define LOGDIR %ROOT%\data <br/>define LOGFILE %LOGDIR%\nxlog.log <br/>LogFile %LOGFILE% <br/> <br/>Moduledir %ROOT%\modules <br/>CacheDir %ROOT%\data <br/>Pidfile %ROOT%\data\nxlog.pid <br/>SpoolDir %ROOT%\data <br/> <br/>&lt;Extension _syslog&gt; <br/> Module xm_syslog <br/>&lt;/Extension&gt; <br/> <br/> <br/>&lt;Extension charconv&gt; <br/> Module xm_charconv <br/> AutodetectCharsets shift_jis, utf-8 <br/>&lt;/Extension&gt; <br/> <br/>################################### <br/># define input <br/>################################### <br/>define SystemError 10016, 10028, 36882 <br/> <br/>&lt;Input in_eventlog&gt; <br/> Module im_msvistalog <br/> &lt;QueryXML&gt; <br/> &lt;QueryList&gt; <br/> &lt;Query Id=&quot;0&quot; Path=&quot;Application&quot;&gt; <br/> &lt;Select Path=&quot;Application&quot;&gt;*[System[(Level=1 or Level=2)]]&lt;/Select&gt; <br/> &lt;/Query&gt; <br/>&lt;/QueryList&gt; <br/> &lt;/QueryXML&gt; <br/> <br/>&lt;Exec&gt; <br/> if ($EventID IN (%SystemError%) and <br/> ($Data == &rsquo;Test_Message&rsquo;) <br/> ) drop(); <br/>&lt;/Exec&gt; <br/>Exec convert_fields(&quot;shift_jis&quot;, &quot;utf-8&quot;); <br/>&lt;/Input&gt; <br/>################################### <br/># difine output <br/>################################### <br/>&lt;Output out_eventlog&gt; <br/> Module om_udp <br/> Host ********** <br/> Port 514 <br/>&lt;/Output&gt; <br/> <br/>################################### <br/># Route monitor <br/>################################### <br/>&lt;Route route&gt; <br/> Path in_eventlog =&gt; out_eventlog <br/>&lt;/Route&gt; <br/> [Windows Eventlog]※XML <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="EventLog" /> <EventID Qualifiers="0">1000</EventID> <Level>2</Level> <Task>1</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2020-09-09T01:41:53.762804400Z" /> <EventRecordID>16834</EventRecordID> <Channel>System</Channel> <Computer>sv-otebk.ads.nttdata.co.jp</Computer> <Security /> </System> - <EventData> <Data>Test_Message</Data> </EventData> </Event>

Hello,

Seems your <Data> in <EventData> has bad structure - no field name is provided. For list of supported by im_msvistalog fields, please refer to https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#im_msvistalog_fields

Regards,

Rafal
Login to see more