Windows Eventlog string filter
OS:Windows server 2016
NXlog:CE-2.10.2150
I want to filter the Windows event log message string ("Test_Message"). ..
It doesn't work. Please tell me what's wrong
[nxlog.conf]
<br/>Panic Soft <br/>#NoFreeOnExit TRUE <br/> <br/>define ROOT C:\Program Files (x86)\nxlog <br/>define CERTDIR %ROOT%\cert <br/>define CONFDIR %ROOT%\conf <br/>define LOGDIR %ROOT%\data <br/>define LOGFILE %LOGDIR%\nxlog.log <br/>LogFile %LOGFILE% <br/> <br/>Moduledir %ROOT%\modules <br/>CacheDir %ROOT%\data <br/>Pidfile %ROOT%\data\nxlog.pid <br/>SpoolDir %ROOT%\data <br/> <br/><Extension _syslog> <br/> Module xm_syslog <br/></Extension> <br/> <br/> <br/><Extension charconv> <br/> Module xm_charconv <br/> AutodetectCharsets shift_jis, utf-8 <br/></Extension> <br/> <br/>################################### <br/># define input <br/>################################### <br/>define SystemError 10016, 10028, 36882 <br/> <br/><Input in_eventlog> <br/> Module im_msvistalog <br/> <QueryXML> <br/> <QueryList> <br/> <Query Id="0" Path="Application"> <br/> <Select Path="Application">*[System[(Level=1 or Level=2)]]</Select> <br/> </Query> <br/></QueryList> <br/> </QueryXML> <br/> <br/><Exec> <br/> if ($EventID IN (%SystemError%) and <br/> ($Data == ’Test_Message’) <br/> ) drop(); <br/></Exec> <br/>Exec convert_fields("shift_jis", "utf-8"); <br/></Input> <br/>################################### <br/># difine output <br/>################################### <br/><Output out_eventlog> <br/> Module om_udp <br/> Host ********** <br/> Port 514 <br/></Output> <br/> <br/>################################### <br/># Route monitor <br/>################################### <br/><Route route> <br/> Path in_eventlog => out_eventlog <br/></Route> <br/>
[Windows Eventlog]※XML
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="EventLog" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-09-09T01:41:53.762804400Z" />
<EventRecordID>16834</EventRecordID>
<Channel>System</Channel>
<Computer>sv-otebk.ads.nttdata.co.jp</Computer>
<Security />
</System>
- <EventData>
<Data>Test_Message</Data>
</EventData>
</Event>
Hello,
Seems your <Data>
in <EventData>
has bad structure - no field name is provided. For list of supported by im_msvistalog
fields, please refer to https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#im_msvistalog_fields
Regards,
Rafal