Let's Talk
Let's Talk

How to transfert Windows EventLog by choosing the severity level.

View thread
iris (Last updated )

Hello,

I'm using an older version of the NXLog agent (ce-2.0.1716) on Windows Server 2016, and I want to import only EventLogs that correspond to a severity level between 1 and 3 but I really have no idea how to do it. Despite my research and testing, nothing seems to work.

Below, you can see the original “nxlog.conf” configuration file for my DC server:

define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
   Module      xm_syslog
</Extension>

<Input in>
   Module      im_msvistalog
#011Information
Exec if ($Severity == 'INFO' and $SourceName == 'CxAudioSvcSource') drop();
Exec if ($Severity == 'INFO' and ($EventId == 0)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 1001)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 107)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 112)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 129)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 146)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 1)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 2000)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 2002)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 200)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 201)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 2024)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 20)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 2415)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 3)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4006)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4007)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4017)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4126)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4257)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4326)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5017)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 505)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5126)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5257)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5308)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5309)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5310)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5311)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5312)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5313)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5314)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5315)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5320)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5326)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5327)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5340)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 600)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 6115)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 62170)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 62171)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 7036)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 8006)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 8007)) drop();
#011Warning
Exec if ($Severity == 'WARNING' and ($EventId == 200)) drop();
Exec if ($Severity == 'WARNING' and ($EventId == 202)) drop();
Exec if ($Severity == 'WARNING' and ($EventId == 61)) drop();
Exec if ($Severity == 'WARNING' and ($EventId == 1112)) drop();
Exec if ($Severity == 'WARNING' and ($EventId == 1002)) drop();
#011Success 
Exec if ($Severity == 'SUCCESS' and ($EventId == 4672)) drop();
Exec if ($Severity == 'SUCCESS' and ($EventId == 4799)) drop();
#011Error 
Exec if ($Severity == 'ERROR' and ($EventId == 2028)) drop();
Exec if ($Severity == 'ERROR' and ($EventId == 6113)) drop();
</Input>

<Output out>
   Module      om_tcp
   Host        supervision
   Port        514
   Exec        to_syslog_snare();
</Output>

<Route 1>
   Path        in => out
</Route>

Below, you can see my new “nxlog.conf” configuration file for my DC server:

define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Input in>
Module im_msvistalog
    <QueryXML>
<QueryList>
<Query Id='0' Path='Application'>
<Select Path='Application'>*[System[(Level=1  or Level=2 or Level=3)]]</Select>
<Select Path='Security'>*[System[(Level=1  or Level=2 or Level=3)]]</Select>
<Select Path='Setup'>*[System[(Level=1  or Level=2 or Level=3)]]</Select>
<Select Path='System'>*[System[(Level=1  or Level=2 or Level=3)]]</Select>
</Query>
</QueryList>
    </QueryXML>
</Input>

<Output out>
    Module      om_tcp
    Host        supervision
    Port        514
    Exec        to_syslog_snare();
</Output>

<Route 1>
    Path        in => out
</Route>

Below, you can see an extract of the log file for the NXLog agent for my DC server:

2023-12-11 13:42:40 INFO nxlog-ce-2.9.1716 started
2023-12-11 13:42:40 INFO connecting to supervision:514
2023-12-11 14:00:21 WARNING stopping nxlog service
2023-12-11 14:00:21 WARNING nxlog-ce received a termination request signal, exiting...
2023-12-11 14:00:23 INFO nxlog-ce-2.9.1716 started
2023-12-11 14:00:25 INFO connecting to supervision:514
2023-12-11 14:00:49 WARNING stopping nxlog service
2023-12-11 14:00:49 WARNING nxlog-ce received a termination request signal, exiting...
2023-12-11 14:00:50 INFO nxlog-ce-2.9.1716 started
2023-12-11 14:00:50 INFO connecting to supervision:514
2023-12-11 14:05:41 WARNING stopping nxlog service
2023-12-11 14:05:41 WARNING nxlog-ce received a termination request signal, exiting...
2023-12-11 14:05:43 INFO nxlog-ce-2.9.1716 started
2023-12-11 14:05:45 INFO connecting to supervision:514
2023-12-11 14:14:38 WARNING stopping nxlog service
2023-12-11 14:00:21 WARNING nxlog-ce received a termination request signal, exiting...
2023-12-11 14:16:24 INFO nxlog-ce-2.9.1716 started
2023-12-11 14:16:27 INFO connecting to supervision:514
2023-12-11 14:19:51 WARNING stopping nxlog service
2023-12-11 14:19:52 WARNING nxlog-ce received a termination request signal, exiting...
2023-12-11 14:19:53 INFO nxlog-ce-2.9.1716 started
2023-12-11 14:19:53 INFO connecting to supervision:514
2023-12-11 14:21:53 WARNING stopping nxlog service
2023-12-11 14:21:53 WARNING nxlog-ce received a termination request signal, exiting...
2023-12-11 14:21:54 INFO nxlog-ce-2.9.1716 started
2023-12-11 14:21:54 INFO connecting to supervision:514

I also tried options such as:

Exec if ($Severity == 'INFO') drop();

And I tried by modifying th “input” field with different values below, but nothing seems to work.

<Select Path='Application'>*[System/Level<3]</Select>
<Select Path='Security'>*[System/Level<3]</Select>
<Select Path='System'>*[System/Level<3]</Select>
<Select Path='Application'>*[System[Level=3]]</Select>
<Select Path='System'>*[System[Level=3]]</Select>
<Select Path='Security'>*[System[Level=3]]</Select>
<Select Path='Application'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path='System'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path='Security'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>

Unfortunaltely, I'm far from being a specialist in log processing and management, so if you you had an idea to suggest to help mesolve my problem, I would be very gratful.

Thank you in advance,

Arn_no