Unable to filter multiple Event IDs from security logs using im_msvistalog module

View thread

AshishKumar

Hi, I am doing POC on NXlog for Philips product and when i am extracting eventlogs only for security by using im_msvistalog module then it's successfully extracting logs & sending to splunk server but when i am putting filter by referring https://nxlog.co/documentation/nxlog-user-guide/eventlog-eventids.html where i have used ExtendedWindowsToCollect in Input tag then facing multiple error like unused modules, couldn't parse to Exec. Please see the below details of conf & log files. Please help me here if config file is required any changes. Note: Defined Event IDs are just an example since i have big list to be added in config file.

config file Panic Soft

define INSTALLDIR C:\Program Files\nxlog

#ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data

define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d

Note that these two lines define constants only; the log file location

is ultimately set by the LogFile directive (see below). The

MYLOGFILE define is also used to rotate the log file automatically

(see the _fileop block).

define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log

If you are not using NXLog Manager, disable the include line

and enable LogLevel and LogFile.

include %CONFDIR%*.conf

#LogLevel INFO #LogFile %MYLOGFILE%

Define security IDs

define Security 4634, 4647, 4648, 4656, 4661, 4662, 4672, 4688,
4689, 4704, 4705, 4706, 4707, 4713, 4716, 4717, \ 4718, 4719, 4720, 4722, 4723, 4724, 4725, 4726,
4727, 4728, 4729, 4730

<Extension _syslog>

Module      xm_syslog

</Extension>

<Extension _json>

Module      xm_json

</Extension>

<Input ExtendedWindowsToCollect>

Module               im_msvistalog
TolerateQueryErrors  TRUE
&lt;QueryXML&gt;
    &lt;QueryList&gt;
         &lt;Query Id='0'&gt;
             &lt;Select Path ='Security'&gt;*&lt;/Select&gt;

</Query> </QueryList> </QueryXML> <Exec> if ($EventID NOT IN (%Security%) drop(); </Exec> </Input>

<Output TCP>

Module      om_tcp
Host        10.232.44.92
Port        1524
Exec        to_json();

</Output> <Route Out>

Path        ExtendedWindowsToCollect = TCP

</Route>

This block rotates %MYLOGFILE% on a schedule. Note that if LogFile

is changed in managed.conf via NXLog Manager, rotation of the new

file should also be configured there.

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
&lt;Schedule&gt;
    Every   1 hour
    &lt;Exec&gt;
        if ( file_exists('%MYLOGFILE%') and
             (file_size('%MYLOGFILE%') &gt;= 5M) )
        {
             file_cycle('%MYLOGFILE%', 8);
        }
    &lt;/Exec&gt;
&lt;/Schedule&gt;

# Rotate our log file every week on Sunday at midnight
&lt;Schedule&gt;
    When    @weekly
    Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
&lt;/Schedule&gt;

</Extension>

config log file 2021-07-30 00:02:23 INFO [CORE|main] nxlog-5.3.6735-trial started 2021-07-30 00:02:23 WARNING [CORE|main] not starting unused module TCP 2021-07-30 00:02:23 WARNING [CORE|main] not starting unused module ExtendedWindowsToCollect 2021-07-30 00:03:53 ERROR [CORE|main] module 'ExtendedWindowsToCollect' is already defined at C:\Program Files\nxlog\conf\nxlog.conf:63 2021-07-30 00:03:53 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:55; couldn't parse statement at line 56, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:03:53 WARNING [CORE|main] no functional input modules! 2021-07-30 00:03:53 ERROR [CORE|main] module 'ExtendedWindowsToCollect' has configuration errors, not adding to route 'Out' at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:03:53 ERROR [CORE|main] module 'ExtendedWindowsToCollect' has configuration errors, not adding to route 'Out' at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:03:53 ERROR [CORE|main] route Out is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:03:53 INFO [CORE|main] nxlog-5.3.6735-trial started 2021-07-30 00:03:53 WARNING [CORE|main] not starting unused module ExtendedWindowsToCollect 2021-07-30 00:03:53 INFO [xm_admin|agent_managment] connecting to 10.232.44.1:4041 2021-07-30 00:03:54 ERROR [xm_admin|agent_managment] couldn't connect to 10.232.44.1:4041; No connection could be made because the target machine actively refused it.
2021-07-30 00:03:54 INFO [xm_admin|agent_managment] reconnecting in 1 sec 2021-07-30 00:03:55 INFO [xm_admin|agent_managment] connecting to 10.232.44.1:4041 2021-07-30 00:23:22 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:55; couldn't parse statement at line 56, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:23:22 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:23:22 WARNING [CORE|main] no functional input modules! 2021-07-30 00:23:22 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:23:22 ERROR [CORE|main] exiting... 2021-07-30 00:24:27 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:55; couldn't parse statement at line 56, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:24:27 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:24:27 WARNING [CORE|main] no functional input modules! 2021-07-30 00:24:27 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:24:27 ERROR [CORE|main] exiting... 2021-07-30 00:25:32 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:25:32 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:25:32 WARNING [CORE|main] no functional input modules! 2021-07-30 00:25:32 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:25:32 ERROR [CORE|main] exiting... 2021-07-30 00:25:43 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:25:43 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:25:43 WARNING [CORE|main] no functional input modules! 2021-07-30 00:25:43 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:25:43 ERROR [CORE|main] exiting... 2021-07-30 00:26:36 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:26:36 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:26:36 WARNING [CORE|main] no functional input modules! 2021-07-30 00:26:36 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:26:36 ERROR [CORE|main] exiting... 2021-07-30 00:27:02 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:27:02 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:27:02 WARNING [CORE|main] no functional input modules! 2021-07-30 00:27:02 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:27:02 ERROR [CORE|main] exiting... 2021-07-30 00:27:40 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:27:40 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:27:40 WARNING [CORE|main] no functional input modules! 2021-07-30 00:27:40 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:27:40 ERROR [CORE|main] exiting... 2021-07-30 00:27:53 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:27:53 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:27:53 WARNING [CORE|main] no functional input modules! 2021-07-30 00:27:53 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:27:53 ERROR [CORE|main] exiting... 2021-07-30 00:28:07 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:28:07 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:28:07 WARNING [CORE|main] no functional input modules! 2021-07-30 00:28:07 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:28:07 ERROR [CORE|main] exiting... 2021-07-30 00:28:46 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:28:46 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:28:46 WARNING [CORE|main] no functional input modules! 2021-07-30 00:28:46 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:28:46 ERROR [CORE|main] exiting... 2021-07-30 00:28:58 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:28:58 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:28:58 WARNING [CORE|main] no functional input modules! 2021-07-30 00:28:58 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:28:58 ERROR [CORE|main] exiting... 2021-07-30 00:29:13 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:29:13 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:29:13 WARNING [CORE|main] no functional input modules! 2021-07-30 00:29:13 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:29:13 ERROR [CORE|main] exiting... 2021-07-30 00:29:50 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:29:50 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:29:50 WARNING [CORE|main] no functional input modules! 2021-07-30 00:29:50 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:29:50 ERROR [CORE|main] exiting... 2021-07-30 00:30:02 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:30:02 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:30:02 WARNING [CORE|main] no functional input modules! 2021-07-30 00:30:02 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:30:02 ERROR [CORE|main] exiting...