Request trial
Request Trial

Update required of a specific windows EventID

Tags: NXLog Enterprise Edition
#1 dudu.confirm@gmail.com

Hi, 

Doing my first steps with NXlog.

I have managed to collect all “Security” windows event log and also managed to update the “Version” parameter to my own parameter - Just for a test purposes 

Now I need to perform 3 tasks 

  1. Collect all “Security” windows event log - Done
  2. Update the “Version” parameter from int to string - Done 
  3. Update the “Hostname” parameter of specific event ID (for example EventID":4656) to “test”  - Please advice 

Thank you 

<Input eventlog>   Module  im_msvistalog   <QueryXML>       <QueryList>           <Query Id='0'>    <Select Path='Security'>*</Select>           </Query>       </QueryList>   </QueryXML><Exec>       $Hostname = "test" ;      # This task should be only for eventID 4656       $Version = string($Version);       to_json();   </Exec></Input>

 

Permalink
#2 gahorvath Nxlog ✓

Hi,

Welcome to the party :)

NXLog's configuration language supports conditional statements. The configuration below is adapted to your request. 

<Input eventlog>
   Module  im_msvistalog
   <QueryXML>
      <QueryList>
         <Query Id='0'>
         <Select Path='Security'>*</Select>
         </Query>
      </QueryList>
   </QueryXML>
   <Exec>
      if $EventID = 4556 {
         $Hostname = "test" ;      # This task should be only for eventID 4656
      }
      $Version = string($Version);
      to_json();
   </Exec>
</Input>

You can use the corresponding part of the documentation I linked under Resources to learn more.

Resources:

https://docs.nxlog.co/ce/current/index.html#lang_statement_if

Gabor
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS