How to transfert Windows EventLog by choosing the severity level.
Hello,
I'm using an older version of the NXLog agent (ce-2.0.1716) on Windows Server 2016, and I want to import only EventLogs that correspond to a severity level between 1 and 3 but I really have no idea how to do it. Despite my research and testing, nothing seems to work.
Below, you can see the original “nxlog.conf” configuration file for my DC server:
define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_msvistalog
#011Information
Exec if ($Severity == 'INFO' and $SourceName == 'CxAudioSvcSource') drop();
Exec if ($Severity == 'INFO' and ($EventId == 0)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 1001)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 107)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 112)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 129)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 146)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 1)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 2000)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 2002)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 200)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 201)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 2024)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 20)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 2415)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 3)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4006)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4007)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4017)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4126)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4257)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4326)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5017)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 505)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5126)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5257)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5308)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5309)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5310)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5311)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5312)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5313)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5314)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5315)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5320)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5326)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5327)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5340)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 600)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 6115)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 62170)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 62171)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 7036)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 8006)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 8007)) drop();
#011Warning
Exec if ($Severity == 'WARNING' and ($EventId == 200)) drop();
Exec if ($Severity == 'WARNING' and ($EventId == 202)) drop();
Exec if ($Severity == 'WARNING' and ($EventId == 61)) drop();
Exec if ($Severity == 'WARNING' and ($EventId == 1112)) drop();
Exec if ($Severity == 'WARNING' and ($EventId == 1002)) drop();
#011Success
Exec if ($Severity == 'SUCCESS' and ($EventId == 4672)) drop();
Exec if ($Severity == 'SUCCESS' and ($EventId == 4799)) drop();
#011Error
Exec if ($Severity == 'ERROR' and ($EventId == 2028)) drop();
Exec if ($Severity == 'ERROR' and ($EventId == 6113)) drop();
</Input>
<Output out>
Module om_tcp
Host supervision
Port 514
Exec to_syslog_snare();
</Output>
<Route 1>
Path in => out
</Route>
Below, you can see my new “nxlog.conf” configuration file for my DC server:
define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0' Path='Application'>
<Select Path='Application'>[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path='Security'>[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path='Setup'>[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path='System'>[System[(Level=1 or Level=2 or Level=3)]]</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Output out>
Module om_tcp
Host supervision
Port 514
Exec to_syslog_snare();
</Output>
<Route 1>
Path in => out
</Route>
Below, you can see an extract of the log file for the NXLog agent for my DC server:
2023-12-11 13:42:40 INFO nxlog-ce-2.9.1716 started 2023-12-11 13:42:40 INFO connecting to supervision:514 2023-12-11 14:00:21 WARNING stopping nxlog service 2023-12-11 14:00:21 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:00:23 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:00:25 INFO connecting to supervision:514 2023-12-11 14:00:49 WARNING stopping nxlog service 2023-12-11 14:00:49 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:00:50 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:00:50 INFO connecting to supervision:514 2023-12-11 14:05:41 WARNING stopping nxlog service 2023-12-11 14:05:41 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:05:43 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:05:45 INFO connecting to supervision:514 2023-12-11 14:14:38 WARNING stopping nxlog service 2023-12-11 14:00:21 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:16:24 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:16:27 INFO connecting to supervision:514 2023-12-11 14:19:51 WARNING stopping nxlog service 2023-12-11 14:19:52 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:19:53 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:19:53 INFO connecting to supervision:514 2023-12-11 14:21:53 WARNING stopping nxlog service 2023-12-11 14:21:53 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:21:54 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:21:54 INFO connecting to supervision:514
I also tried options such as:
Exec if ($Severity == 'INFO') drop();And I tried by modifying th “input” field with different values below, but nothing seems to work.
<Select Path='Application'>[System/Level<3]</Select>
<Select Path='Security'>[System/Level<3]</Select>
<Select Path='System'>[System/Level<3]</Select><Select Path='Application'>[System[Level=3]]</Select>
<Select Path='System'>[System[Level=3]]</Select>
<Select Path='Security'>[System[Level=3]]</Select><Select Path='Application'>[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path='System'>[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path='Security'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>Unfortunaltely, I'm far from being a specialist in log processing and management, so if you you had an idea to suggest to help mesolve my problem, I would be very gratful.
Thank you in advance,
Arn_no
