Hi All, I wanted to see if I could get help with a filter for windows events. I want to get all the "security" events except those that have a word with .tmp inside, For example:

ObjectName F:\Personal\Battista\14FC4253.tmp

With the user help in chat i try with this config but doesnt work:

This is a sample configuration file. See the nxlog reference manual about the

configuration options. It should be installed locally and is also available

online at http://nxlog.org/docs/

Please set the ROOT to the folder your nxlog was installed into,

otherwise it will not start.

#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension _gelf> #Module xm_syslog Module xm_gelf #Module xm_json </Extension>

<Input in1> Module im_msvistalog

Uncomment the following to collect specific event logs only

 Query <QueryList>\
           <Query Id="0">\
              <Select Path="Application">*</Select>\
              <Select Path="System">*</Select>\
              <Select Path="Security">*</Select>\
           </Query>\
       </QueryList>
<Exec>
    if $Channel == 'Security' and $ObjectName =~ /.tmp/ drop();
</Exec>

</Input>

<Output out> Module om_udp Host 172.20.5.32 Port 12201 #Exec to_syslog_snare(); OutputType GELF </Output>

<Route 1> Path in1 => out </Route>

THanks !