How to transfert Windows EventLog by choosing the severity level.


#1 iris (Last updated )

Hello,

I'm using an older version of the NXLog agent (ce-2.0.1716) on Windows Server 2016, and I want to import only EventLogs that correspond to a severity level between 1 and 3 but I really have no idea how to do it. Despite my research and testing, nothing seems to work.

Below, you can see the original “nxlog.conf” configuration file for my DC server:

define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension _syslog> Module xm_syslog </Extension>

<Input in> Module im_msvistalog #011Information Exec if ($Severity == 'INFO' and $SourceName == 'CxAudioSvcSource') drop(); Exec if ($Severity == 'INFO' and ($EventId == 0)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 1001)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 107)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 112)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 129)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 146)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 1)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 2000)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 2002)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 200)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 201)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 2024)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 20)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 2415)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 3)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 4006)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 4007)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 4017)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 4126)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 4257)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 4326)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5017)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 505)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5126)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5257)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5308)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5309)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5310)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5311)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5312)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5313)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5314)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5315)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5320)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5326)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5327)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5340)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 600)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 6115)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 62170)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 62171)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 7036)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 8006)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 8007)) drop(); #011Warning Exec if ($Severity == 'WARNING' and ($EventId == 200)) drop(); Exec if ($Severity == 'WARNING' and ($EventId == 202)) drop(); Exec if ($Severity == 'WARNING' and ($EventId == 61)) drop(); Exec if ($Severity == 'WARNING' and ($EventId == 1112)) drop(); Exec if ($Severity == 'WARNING' and ($EventId == 1002)) drop(); #011Success Exec if ($Severity == 'SUCCESS' and ($EventId == 4672)) drop(); Exec if ($Severity == 'SUCCESS' and ($EventId == 4799)) drop(); #011Error Exec if ($Severity == 'ERROR' and ($EventId == 2028)) drop(); Exec if ($Severity == 'ERROR' and ($EventId == 6113)) drop(); </Input>

<Output out> Module om_tcp Host supervision Port 514 Exec to_syslog_snare(); </Output>

<Route 1> Path in => out </Route>

Below, you can see my new “nxlog.conf” configuration file for my DC server:

define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension _syslog> Module xm_syslog </Extension>

<Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0' Path='Application'> <Select Path='Application'>[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path='Security'>[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path='Setup'>[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path='System'>[System[(Level=1 or Level=2 or Level=3)]]</Select> </Query> </QueryList> </QueryXML> </Input>

<Output out> Module om_tcp Host supervision Port 514 Exec to_syslog_snare(); </Output>

<Route 1> Path in => out </Route>

Below, you can see an extract of the log file for the NXLog agent for my DC server:

2023-12-11 13:42:40 INFO nxlog-ce-2.9.1716 started
2023-12-11 13:42:40 INFO connecting to supervision:514
2023-12-11 14:00:21 WARNING stopping nxlog service
2023-12-11 14:00:21 WARNING nxlog-ce received a termination request signal, exiting...
2023-12-11 14:00:23 INFO nxlog-ce-2.9.1716 started
2023-12-11 14:00:25 INFO connecting to supervision:514
2023-12-11 14:00:49 WARNING stopping nxlog service
2023-12-11 14:00:49 WARNING nxlog-ce received a termination request signal, exiting...
2023-12-11 14:00:50 INFO nxlog-ce-2.9.1716 started
2023-12-11 14:00:50 INFO connecting to supervision:514
2023-12-11 14:05:41 WARNING stopping nxlog service
2023-12-11 14:05:41 WARNING nxlog-ce received a termination request signal, exiting...
2023-12-11 14:05:43 INFO nxlog-ce-2.9.1716 started
2023-12-11 14:05:45 INFO connecting to supervision:514
2023-12-11 14:14:38 WARNING stopping nxlog service
2023-12-11 14:00:21 WARNING nxlog-ce received a termination request signal, exiting...
2023-12-11 14:16:24 INFO nxlog-ce-2.9.1716 started
2023-12-11 14:16:27 INFO connecting to supervision:514
2023-12-11 14:19:51 WARNING stopping nxlog service
2023-12-11 14:19:52 WARNING nxlog-ce received a termination request signal, exiting...
2023-12-11 14:19:53 INFO nxlog-ce-2.9.1716 started
2023-12-11 14:19:53 INFO connecting to supervision:514
2023-12-11 14:21:53 WARNING stopping nxlog service
2023-12-11 14:21:53 WARNING nxlog-ce received a termination request signal, exiting...
2023-12-11 14:21:54 INFO nxlog-ce-2.9.1716 started
2023-12-11 14:21:54 INFO connecting to supervision:514

I also tried options such as:

Exec if ($Severity == 'INFO') drop();

And I tried by modifying th “input” field with different values below, but nothing seems to work.

<Select Path='Application'>[System/Level<3]</Select>
<Select Path='Security'>[System/Level<3]</Select>
<Select Path='System'>[System/Level<3]</Select>
<Select Path='Application'>[System[Level=3]]</Select>
<Select Path='System'>[System[Level=3]]</Select>
<Select Path='Security'>[System[Level=3]]</Select>
<Select Path='Application'>[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path='System'>[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path='Security'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>

Unfortunaltely, I'm far from being a specialist in log processing and management, so if you you had an idea to suggest to help mesolve my problem, I would be very gratful.

Thank you in advance,

Arn_no

#2 konstantinosDeactivated Nxlog ✓

Hi Arn_no,

There are at least two ways to approach the config. Option one is to use the XPath language. This is the same syntax that Microsoft uses in their Event Viewer. When you create a Custom Filter, just switch to the XML tab and copy/paste the filter to the NXLog configuration:

<Input in>
  Module im_msvistalog
  <QueryXML>
   <QueryList>
    <Query Id="0">
     <Select Path="Application">*[System[(Level=1  or Level=2 or Level=3)]]</Select>
     <Select Path="Security">*[System[(Level=1  or Level=2 or Level=3)]]</Select>
     <Select Path="System">*[System[(Level=1  or Level=2 or Level=3)]]</Select>
    </Query>
   </QueryList>
  </QueryXML>
</Input>

Instead of using the XPath filter above to filter your events, you could allow though everything and then use the NXLog language to drop the events you don't need taking advantage of the relevant parsed field, which in your case is $SeverutyValue (please have a look at https://docs.nxlog.co/ce/current/index.html#im_mseventlog_fields )

e.g. Exec if (($Severity == 'ERROR' and ($EventId == 2028)) OR (($SeverutyValue > 3) OR ($SeverutyValue < 1)) drop();

I hope this helps!

Cheers,

Konstantinos