Nxlog CE agent forwarding all Windows Events despite the query level filter


#1 Olistra
Hello everybody, I'm trying to filter Windows events log with severity/level only from warning to critical, so from level 1 to 3. Unfortunately, I tried several configurations, but the agent is still forwarding all the events. Like if there were no filters. My specifications are, Nxlog CE Agent (version 2.10.2102) on a Windows 10 64 bits build 1803 with this conf : Panic Soft define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data Module xm_syslog Module im_msvistalog *[System[(Level=1 or Level=2 or Level=3)]] *[System[(Level=1)]] *[System[(Level=1 or Level=2 or Level=3)]] *[System[(Level=1 or Level=2 or Level=3)]] Module pm_buffer MaxSize 102400 Type disk Module om_tcp Host X.X.X.X Port 514 Exec to_syslog_snare(); Path eventlog => buffer => out Am I missing something? Did something change recently in the syntax? Thanks for your help. Best regards :)
#2 Olistra
#1 Olistra
Hello everybody, I'm trying to filter Windows events log with severity/level only from warning to critical, so from level 1 to 3. Unfortunately, I tried several configurations, but the agent is still forwarding all the events. Like if there were no filters. My specifications are, Nxlog CE Agent (version 2.10.2102) on a Windows 10 64 bits build 1803 with this conf : Panic Soft define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data Module xm_syslog Module im_msvistalog *[System[(Level=1 or Level=2 or Level=3)]] *[System[(Level=1)]] *[System[(Level=1 or Level=2 or Level=3)]] *[System[(Level=1 or Level=2 or Level=3)]] Module pm_buffer MaxSize 102400 Type disk Module om_tcp Host X.X.X.X Port 514 Exec to_syslog_snare(); Path eventlog => buffer => out Am I missing something? Did something change recently in the syntax? Thanks for your help. Best regards :)

Hello,

I forgot to say that there is no error in the nxlog.log on the Windows machine...

Thanks for any help.