Windows event logging | Log collection solutions

#1 scotty 2 years ago

Forgive my ignorance but I'm looking to use NX Log to capture all windows events under System, Application and Security whether they be Audit, Info, error or critical. Am I correct in my assumption that with no filter's it should collect everything? <Select Path='Application'></Select> <Select Path='Security'></Select> <Select Path='System'></Select> or do I need to specify on single lines each severity level? for example: <Select Path='Application'>[System/Level=4]</Select> <Select Path='Application'>[System/Level=3]</Select> <Select Path='Application'>[System/Level=2]</Select>

and so on?

Permalink

#2 gahorvath Nxlog ✓ 2 years ago

#1 scotty

Forgive my ignorance but I'm looking to use NX Log to capture all windows events under System, Application and Security whether they be Audit, Info, error or critical. Am I correct in my assumption that with no filter's it should collect everything? <Select Path='Application'></Select> <Select Path='Security'></Select> <Select Path='System'></Select> or do I need to specify on single lines each severity level? for example: <Select Path='Application'>[System/Level=4]</Select> <Select Path='Application'>[System/Level=3]</Select> <Select Path='Application'>[System/Level=2]</Select> and so on?

Hi Scotty,

the module in the end is using the common event log APIs . You can even test your filter in eventviewer.

See here for an example.

The answer to your question is, yes, it should just work with

<Input eventlog>
    Module im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id='0'>
                <Select Path='Application'>*</Select>
                <Select Path='Security'>*</Select>
                <Select Path='System'>*</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

Or w/o specifying a filter:

<Input eventlog>
   Module im_msvistalog
</Input>

Gabor