How to transfert Windows EventLog by choosing the severity level.
Hello,
I'm using an older version of the NXLog agent (ce-2.0.1716) on Windows Server 2016, and I want to import only EventLogs that correspond to a severity level between 1 and 3 but I really have no idea how to do it. Despite my research and testing, nothing seems to work.
Below, you can see the original “nxlog.conf” configuration file for my DC server:
define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_msvistalog
#011Information
Exec if ($Severity == 'INFO' and $SourceName == 'CxAudioSvcSource') drop();
Exec if ($Severity == 'INFO' and ($EventId == 0)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 1001)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 107)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 112)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 129)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 146)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 1)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 2000)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 2002)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 200)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 201)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 2024)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 20)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 2415)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 3)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4006)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4007)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4017)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4126)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4257)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4326)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5017)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 505)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5126)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5257)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5308)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5309)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5310)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5311)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5312)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5313)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5314)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5315)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5320)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5326)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5327)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5340)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 600)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 6115)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 62170)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 62171)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 7036)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 8006)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 8007)) drop();
#011Warning
Exec if ($Severity == 'WARNING' and ($EventId == 200)) drop();
Exec if ($Severity == 'WARNING' and ($EventId == 202)) drop();
Exec if ($Severity == 'WARNING' and ($EventId == 61)) drop();
Exec if ($Severity == 'WARNING' and ($EventId == 1112)) drop();
Exec if ($Severity == 'WARNING' and ($EventId == 1002)) drop();
#011Success
Exec if ($Severity == 'SUCCESS' and ($EventId == 4672)) drop();
Exec if ($Severity == 'SUCCESS' and ($EventId == 4799)) drop();
#011Error
Exec if ($Severity == 'ERROR' and ($EventId == 2028)) drop();
Exec if ($Severity == 'ERROR' and ($EventId == 6113)) drop();
</Input>
<Output out>
Module om_tcp
Host supervision
Port 514
Exec to_syslog_snare();
</Output>
<Route 1>
Path in => out
</Route>
Below, you can see my new “nxlog.conf” configuration file for my DC server:
define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0' Path='Application'>
<Select Path='Application'>[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path='Security'>[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path='Setup'>[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path='System'>[System[(Level=1 or Level=2 or Level=3)]]</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Output out>
Module om_tcp
Host supervision
Port 514
Exec to_syslog_snare();
</Output>
<Route 1>
Path in => out
</Route>
Below, you can see an extract of the log file for the NXLog agent for my DC server:
2023-12-11 13:42:40 INFO nxlog-ce-2.9.1716 started 2023-12-11 13:42:40 INFO connecting to supervision:514 2023-12-11 14:00:21 WARNING stopping nxlog service 2023-12-11 14:00:21 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:00:23 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:00:25 INFO connecting to supervision:514 2023-12-11 14:00:49 WARNING stopping nxlog service 2023-12-11 14:00:49 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:00:50 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:00:50 INFO connecting to supervision:514 2023-12-11 14:05:41 WARNING stopping nxlog service 2023-12-11 14:05:41 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:05:43 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:05:45 INFO connecting to supervision:514 2023-12-11 14:14:38 WARNING stopping nxlog service 2023-12-11 14:00:21 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:16:24 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:16:27 INFO connecting to supervision:514 2023-12-11 14:19:51 WARNING stopping nxlog service 2023-12-11 14:19:52 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:19:53 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:19:53 INFO connecting to supervision:514 2023-12-11 14:21:53 WARNING stopping nxlog service 2023-12-11 14:21:53 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:21:54 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:21:54 INFO connecting to supervision:514
I also tried options such as:
Exec if ($Severity == 'INFO') drop();
And I tried by modifying th “input” field with different values below, but nothing seems to work.
<Select Path='Application'>[System/Level<3]</Select>
<Select Path='Security'>[System/Level<3]</Select>
<Select Path='System'>[System/Level<3]</Select>
<Select Path='Application'>[System[Level=3]]</Select>
<Select Path='System'>[System[Level=3]]</Select>
<Select Path='Security'>[System[Level=3]]</Select>
<Select Path='Application'>[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path='System'>[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path='Security'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
Unfortunaltely, I'm far from being a specialist in log processing and management, so if you you had an idea to suggest to help mesolve my problem, I would be very gratful.
Thank you in advance,
Arn_no
Hi Arn_no,
There are at least two ways to approach the config. Option one is to use the XPath language. This is the same syntax that Microsoft uses in their Event Viewer. When you create a Custom Filter, just switch to the XML tab and copy/paste the filter to the NXLog configuration:
<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Application">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Security">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="System">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
Instead of using the XPath filter above to filter your events, you could allow though everything and then use the NXLog language to drop the events you don't need taking advantage of the relevant parsed field, which in your case is $SeverutyValue
(please have a look at https://docs.nxlog.co/ce/current/index.html#im_mseventlog_fields )
e.g. Exec if (($Severity == 'ERROR' and ($EventId == 2028)) OR (($SeverutyValue > 3) OR ($SeverutyValue < 1)) drop();
I hope this helps!
Cheers,
Konstantinos