I'm trying to figure out a good way of only forwarding along events of significance and to filter out the rest - but without having hundreds of lines of XPath queries in nxlog.conf file. I understand that multiple blocks are AND'd together and that 'type' may only be "exact or regexp", but there doesn't appear to be any negation logic (e.g. NOT item or OR item).

Is the 'pm_pattern' module the best approach for trying to accomplish this? Can pattern matches in the patterndb.xml file be defined to drop matching messages? Would a viable approach be to define capture groups to set a variable, then just have something like 'Exec if defined $unwantedMatch { drop();}?

XPath Query: <Suppress Path="Security"> *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Level=4 or Level=0) and (EventID=4624 or EventID=4625 or EventID=4634)]] and *[EventData[ ( (Data[@Name='LogonType']='5' or Data[@Name='LogonType']='0') or Data[@Name='TargetUserName']='ANONYMOUS LOGON' or Data[@Name='TargetUserSID']='S-1-5-18' )]] </Suppress>

patterndb.xml attempt: 7 Suppress Service Logons EventID regexp 4624|4625|4634 Level regexp 0|4 if ( $LogonType =~ /0|5/ or $TargetUserName == 'ANONYMOUS LOGON' or $TargetUserSID == 'S-1-5-18' ) drop();

XPath Query:

patterndb.xml attempt: 2 Pass the Hash Success Detection EventID exact 4624 Severity exact INFO LogonType exact 3 AuthenticationPackageName exact NTLM TargetUserName regexp (?!ANONYMOUS LOGON) TargetDomainName regexp (?!TEST) $PatternID=2;

Thank you for any wisdom/assisstance.