NXLog search
Let's talk Start free
Let's talk Start free

How to filter Windows Server event by level

View thread
tevfikceydeliler

Hi, I install NXLog Enterprise Edition v5 trial And try to filter out events before send to SIEM. I can get some events and see SIEM side. But when I create fake event , cannot see all. What I want? I want to forward Windows server APP, SEC ve SYS logs that have only WARNING,ERROR and CRITICAL levels in CEF format Is that config part correct?

 <Extension _syslog>
Module  xm_syslog
</Extension>

<Extension _cef>
Module xm_cef
</Extension>

<Input in_jornal>
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog
# Channel Security
<QueryXML>
<QueryList>
<Query Id='0'>
	<Select Path='Application'>
		*[System/Level&lt;4]
	</Select>
	<Select Path='Security'>
		*[System/Level&lt;4]
	</Select>
	<Select Path='System'>
		*[System/Level&lt;4]
	</Select>
</Query>
</QueryList>
</QueryXML>