Windows Event Log - Drop/Filter
jacob.omara@doubleline.com
All,
Hopefully an easy question.
I am currently collecting Windows event logs on a dedicated forwarding server (using native WEF) in a dedicated event log (named “Forwarded Events”). I have NxLog installed on this server and logs are being sent properly to my SIEM.
Currently I am having difficulties filtering events where the SubjectUserName field ends with “$” symbol (logs are still reaching my SIEM).
Below is a snippet of my configuration. I am running NXLog Enterprise version 6.2.
Please advise.
<Extension json>
Module xm_json
</Extension>
<Input windows_security_eventlog>
Module im_msvistalog
ReadFromLast True
SavePos True
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="ForwardedEvents">*</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
###################################################
# Drop noisy machine object access (4662) events.#
###################################################
if $EventID == 4662 AND ($SubjectUserName =~ /(.)$/) drop();
</Exec>
</Input>
