Simple Question "What is wrong with my config ?"
Config works without <QueryXML> lines. When i add thoose lines it stops sends any data. I tested with user modification or login fail etc.
Thanks for your help
<Extension syslog> Module xm_syslog </Extension>
<Extension xml> Module xm_xml </Extension>
<Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and (EventID=1102 or EventID=4719 or EventID=4704 or EventID=4717 or EventID=4738 or EventID=4798 or EventID=4705 or EventID=4674 or EventID=4697 or EventID=4648 or EventID=4723 or EventID=4946 or EventID=4950 or EventID=6416 or EventID=6424 or EventID=4732)]]</Select> </Query> </QueryList> </QueryXML> Exec $Message = to_xml(); to_syslog_bsd(); </Input>
<Output tcp> Module om_tcp Host 127.0.0.1 Port 514 </Output>
<Route eventlog_to_tcp> Path eventlog => tcp </Route>
Hi Anıl,
There is nothing wrong with the query itself. You're probably not getting logs immediately because the events that passed the filter specified is yet to be created.
I hope this helps.
Regards,
Jeffron