Filtering event logs | Log collection solutions

#1 bgrzinic 8 years ago

Hi guys,

could You please share experience on filtering windows event logs.

I have the folowing configuration in input tag:

Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>

# For windows 2003 and earlier use the following:
#   Module      im_mseventlog
#Exec if ($raw_event =~ /INFO\s+62464/) drop();
# Query za event logove (uzima samo definirane)
#Query <QueryList>\
#<Query Id='1'>\
#<Select Path='Application'>*[System[(EventID='32068')]]</Select>\
#<Select Path='System'>*[System[(EventID='7001')]]</Select>\
#</Query>\
#</QueryList>
## Level 1 (ID=30 Critical)     severity level events
# Level 2 (ID=40 Error)        severity level events
# Level 3 (ID=50 Warning)      severity level events
# Level 4 (ID=80 Information) severity level events
# Level 5 (ID=100 Verbose)      severity level events
# Drop 4, i 5 level severity logs

Exec if ($EventType == 'VERBOSE') OR ($EventType == 'Verbose') drop();
Exec if ($EventType == 'INFORMATION') OR ($EventType == 'Information') drop();
Exec if $raw_event =~ /INFO\s+4648/ drop();

I planed to filter specific events by entering name of 'eventtype' as in the example above. I would like to filter all Verbose,Information, and Warning levels. This unfortunately doesnt filter security INFORMATION level.

Could You please please give proper example of filtering logs by severity and by specific event_ID?

Thank you very much.

Appreciate the help.

Permalink

#2 adm Nxlog ✓ 8 years ago

#1 bgrzinic

Hi guys, could You please share experience on filtering windows event logs. I have the folowing configuration in input tag: Query <QueryList>\ <Query Id="0">\ <Select Path="Application">*</Select>\ <Select Path="System">*</Select>\ <Select Path="Security">*</Select>\ </Query>\ </QueryList> # For windows 2003 and earlier use the following: # Module im_mseventlog #Exec if ($raw_event =~ /INFO\s+62464/) drop(); # Query za event logove (uzima samo definirane) #Query <QueryList>\ #<Query Id='1'>\ #<Select Path='Application'>*[System[(EventID='32068')]]</Select>\ #<Select Path='System'>*[System[(EventID='7001')]]</Select>\ #</Query>\ #</QueryList> ## Level 1 (ID=30 Critical) severity level events # Level 2 (ID=40 Error) severity level events # Level 3 (ID=50 Warning) severity level events # Level 4 (ID=80 Information) severity level events # Level 5 (ID=100 Verbose) severity level events # Drop 4, i 5 level severity logs Exec if ($EventType == 'VERBOSE') OR ($EventType == 'Verbose') drop(); Exec if ($EventType == 'INFORMATION') OR ($EventType == 'Information') drop(); Exec if $raw_event =~ /INFO\s+4648/ drop(); .. I planed to filter specific events by entering name of 'eventtype' as in the example above. I would like to filter all Verbose,Information, and Warning levels. This unfortunately doesnt filter security INFORMATION level. Could You please please give proper example of filtering logs by severity and by specific event_ID? Thank you very much. Appreciate the help.

Doing a regexp like this might not be the cleanest solution:

Exec if $raw_event =~ /INFO\s+4648/ drop();

Instead you should do this:

Exec if ($EventType == 'INFO' and $EventID == 4648) drop();

Note that $EventID is unique within each source, so you should also check $SourceName.