Nxlog syntax for capturing Windows Event Viewer logs
Hello,
I am using NXLOG to capture windows event viewer logs . I have below requirements
(1) Forward Event ID 4624 events
(2) Forward Event ID 4689 events only for a specific process name (say notepad.exe) . By default 4689 is common to many processes.
Both of the above events are from "Security" category of Event Viewer. If i use below syntax, it does not work . I am guessing this is because i have repeated "Select Path = Security" twice with the same query ID. How can i configure both of the above filters together in my QUERY block ?
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">*[System[(EventID=4624]]</Select>\
<Select Path="Security">*[System[(EventID=4689)] and EventData[Data[@Name='ProcessName'] and (Data='')]]</Select>\
</Query>\
Do i need to define 2 separate QUERY blocks one with ID=0 & other with ID =1 like this ?
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">*[System[(EventID=4624]]</Select>\
<Query>\
<Query Id="1">\
<Select Path="Security">*[System[(EventID=4689)] and EventData[Data[@Name='ProcessName'] and (Data='C:\Windows\System32\notepad.exe')]]</Select>\
</Query>\
See the microsoft documentation about event selection. There is a section titled XML Event Queries that documents how you can construct an XML Query to filter the security logs in the Windows Eventlog.
