Request trial
Request Trial

Nxlog syntax for capturing Windows Event Viewer logs

Tags: windows events
#1 Neeraj79

Hello, I am using NXLOG to capture windows event viewer logs . I have below requirements
(1) Forward Event ID 4624 events
(2) Forward Event ID 4689 events only for a specific process name (say notepad.exe) . By default 4689 is common to many processes.

Both of the above events are from "Security" category of Event Viewer. If i use below syntax, it does not work . I am guessing this is because i have repeated "Select Path = Security" twice with the same query ID. How can i configure both of the above filters together in my QUERY block ?

Query	<QueryList>\  
                    	<Query Id="0">\  
			<Select Path="Security">*[System[(EventID=4624]]</Select>\  
                       	<Select Path="Security">*[System[(EventID=4689)] and EventData[Data[@Name='ProcessName'] and (Data='')]]</Select>\  
                	</Query>\

Do i need to define 2 separate QUERY blocks one with ID=0 & other with ID =1 like this ?

Query	<QueryList>\  
                    	<Query Id="0">\  
			<Select Path="Security">*[System[(EventID=4624]]</Select>\  
                       <Query>\  
                     <Query Id="1">\  
                       	<Select Path="Security">*[System[(EventID=4689)] and EventData[Data[@Name='ProcessName'] and (Data='C:\Windows\System32\notepad.exe')]]</Select>\  
                	</Query>\
Permalink
#2 b0ti Nxlog ✓
#1 Neeraj79
Hello, I am using NXLOG to capture windows event viewer logs . I have below requirements (1) Forward Event ID 4624 events (2) Forward Event ID 4689 events only for a specific process name (say notepad.exe) . By default 4689 is common to many processes. Both of the above events are from "Security" category of Event Viewer. If i use below syntax, it does not work . I am guessing this is because i have repeated "Select Path = Security" twice with the same query ID. How can i configure both of the above filters together in my QUERY block ? Query <QueryList>\ <Query Id="0">\ <Select Path="Security">*[System[(EventID=4624]]</Select>\ <Select Path="Security">*[System[(EventID=4689)] and EventData[Data[@Name='ProcessName'] and (Data='')]]</Select>\ </Query>\ Do i need to define 2 separate QUERY blocks one with ID=0 & other with ID =1 like this ? Query <QueryList>\ <Query Id="0">\ <Select Path="Security">*[System[(EventID=4624]]</Select>\ <Query>\ <Query Id="1">\ <Select Path="Security">*[System[(EventID=4689)] and EventData[Data[@Name='ProcessName'] and (Data='C:\Windows\System32\notepad.exe')]]</Select>\ </Query>\

See the microsoft documentation about event selection. There is a section titled XML Event Queries that documents how you can construct an XML Query to filter the security logs in the Windows Eventlog.
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS