Nxlog Community - Forwarding Event Log - Drop messages

Tags:

#1 IB_956097

Hi All,

i'm testing the possibility of forwarding windows security logs to SIEM. Seems all ok, but i'm not able to drop messages with some values.

For example we have some event with

$TargetUsername = DWM-"1to11" (example : DWM-1) $TargetUsername = UMFD-"1to11" (example : UMFD-4) $TargetUsername = pcname$ (example : HOSTNAME$) $TargetUsername = Anonymous Access

I'm able to drop "Anonymous Access" with this command :

Exec if $TargetUserName == "Anonymous Access" drop();

but with the other events, i can't use

Exec if $TargetUserName == "UMFD" drop();

because the events are multiple like UMFD-1 UMFD-2 UMFD-3, or username with "$" at the end of the $TargetUserName Value

i have tried with this configuration but seems doesn't work

Exec if $TargetUserName =~ /UMFD/ drop(); Exec if $TargetUserName =~ /DWM/ drop(); Exec if $TargetUserName =~ /$/ drop();

Can you help me?

Thanks you

#2 manuel.munozDeactivated Nxlog ✓
#1 IB_956097
Hi All, i'm testing the possibility of forwarding windows security logs to SIEM. Seems all ok, but i'm not able to drop messages with some values. For example we have some event with $TargetUsername = DWM-"1to11" (example : DWM-1) $TargetUsername = UMFD-"1to11" (example : UMFD-4) $TargetUsername = pcname$ (example : HOSTNAME$) $TargetUsername = Anonymous Access I'm able to drop "Anonymous Access" with this command : Exec if $TargetUserName == "Anonymous Access" drop(); but with the other events, i can't use Exec if $TargetUserName == "UMFD" drop(); because the events are multiple like UMFD-1 UMFD-2 UMFD-3, or username with "$" at the end of the $TargetUserName Value i have tried with this configuration but seems doesn't work Exec if $TargetUserName =~ /UMFD/ drop(); Exec if $TargetUserName =~ /DWM/ drop(); Exec if $TargetUserName =~ /$/ drop(); Can you help me? Thanks you

Ivano,

I think here you would need to escape the dollar symbol:

Exec if $TargetUserName =~ /\$/ drop();

Can you post here your config file?