im_msvistalog --> Exec if or drop statement understanding problem

#1 hkrischeu 2 months ago

Hi,

I am using this code snipping

<Input EventLOG>Module im_msvistalogExec if ($TargetUserName == 'SYSTEM') OR ($EventType == 'VERBOSE') drop();</Input>

This is working fine with my nx-Client at Windows 11. It push notification at my debian server with installed rsyslog server.

But I want to have some specific ID´s from Windows Eventlog.( e.g. 5013, 10016, 4616, 6869)

Can anybody point me to the right way?

Thanks in Advance for every help.

Heinz

Permalink

#2 hkrischeu 2 months ago

I tested it with this … but when I start the windows time service which creates eventid 35 / 37 no log is creating.

<Input EventLOG>
Module im_msvistalog
Exec if not ($EventID in (37,4616,158,64,7040,17,12345,22222)) drop();
</Input>