Suppress attribute question | Log collection solutions

#1 zorkmid 7 years ago

Hello,

This is jsut a quick question on the following lines of a config for Nxlog. Basically is the code suppressing all security events with the exception of those event IDs with in the brackets or are the event IDs within the brackets being suppress?

# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">*</Select>\
<Suppress Path="Security">*[System[(EventID=4624 or EventID=4776 or EventID=4634 or EventID=4672 or EventID=4688 or EventID=4662 or EventID=5159) or EventID=5136 or EventID=4932 or EventID=4933]]</Suppress>\
</Query>\
</QueryList>
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>

Permalink

#2 b0ti Nxlog ✓ 7 years ago (Last updated 5 years ago )

#1 zorkmid

Hello, This is jsut a quick question on the following lines of a config for Nxlog. Basically is the code suppressing all security events with the exception of those event IDs with in the brackets or are the event IDs within the brackets being suppress? # Windows Event Log <Input eventlog> # Uncomment im_msvistalog for Windows Vista/2008 and later Module im_msvistalog Query <QueryList>\ <Query Id="0">\ <Select Path="Security">*</Select>\ <Suppress Path="Security">*[System[(EventID=4624 or EventID=4776 or EventID=4634 or EventID=4672 or EventID=4688 or EventID=4662 or EventID=5159) or EventID=5136 or EventID=4932 or EventID=4933]]</Suppress>\ </Query>\ </QueryList> Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json(); </Input>

The listed EventIDs are suppressed. See the MSDN documentation about XPath event selection.