Windows Event Log - Drop/Filter

View thread

jacob.omara@doubleline.com

All,

Hopefully an easy question.

I am currently collecting Windows event logs on a dedicated forwarding server (using native WEF) in a dedicated event log (named “Forwarded Events”).  I have NxLog installed on this server and logs are being sent properly to my SIEM.

Currently I am having difficulties filtering events where the SubjectUserName field ends with “$” symbol (logs are still reaching my SIEM). 

Below is a snippet of my configuration.  I am running NXLog Enterprise version 6.2.

Please advise.

<Extension json>
   Module xm_json
</Extension>

<Input windows_security_eventlog> Module im_msvistalog ReadFromLast True SavePos True <QueryXML> <QueryList> <Query Id="0"> <Select Path="ForwardedEvents">*</Select> </Query> </QueryList> </QueryXML> <Exec> ################################################### # Drop noisy machine object access (4662) events.# ################################################### if $EventID == 4662 AND ($SubjectUserName =~ /(.)$/) drop(); </Exec> </Input>