Nxlog CE agent forwarding all Windows Events despite the query level filter


#1 Olistra

Hello everybody, I'm trying to filter Windows events log with severity/level only from warning to critical, so from level 1 to 3.

Unfortunately, I tried several configurations, but the agent is still forwarding all the events. Like if there were no filters.

My specifications are, Nxlog CE Agent (version 2.10.2102) on a Windows 10 64 bits build 1803 with this conf :

   Panic Soft

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Input eventlog>
 Module im_msvistalog
<QueryXML>
	<QueryList>
		<Query Id='0'>
			<Select Path='Application'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
			<Select Path='Security'>*[System[(Level=1)]]</Select>
			<Select Path='Setup'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
			<Select Path='System'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
		</Query>
	</QueryList>
</QueryXML>
</Input>

<Processor buffer>
Module pm_buffer
MaxSize 102400
Type disk
</Processor>

<Output out>
    Module  om_tcp
    Host    X.X.X.X
    Port    514
	Exec 	to_syslog_snare();
</Output>

<Route 1>
 Path eventlog => buffer => out
</Route>

Am I missing something? Did something change recently in the syntax?

Thanks for your help.

Best regards :)

#2 Olistra
#1 Olistra
Hello everybody, I'm trying to filter Windows events log with severity/level only from warning to critical, so from level 1 to 3. Unfortunately, I tried several configurations, but the agent is still forwarding all the events. Like if there were no filters. My specifications are, Nxlog CE Agent (version 2.10.2102) on a Windows 10 64 bits build 1803 with this conf : Panic Soft define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'>*[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path='Security'>*[System[(Level=1)]]</Select> <Select Path='Setup'>*[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path='System'>*[System[(Level=1 or Level=2 or Level=3)]]</Select> </Query> </QueryList> </QueryXML> </Input> <Processor buffer> Module pm_buffer MaxSize 102400 Type disk </Processor> <Output out> Module om_tcp Host X.X.X.X Port 514 Exec to_syslog_snare(); </Output> <Route 1> Path eventlog => buffer => out </Route> Am I missing something? Did something change recently in the syntax? Thanks for your help. Best regards :)

Hello,

I forgot to say that there is no error in the nxlog.log on the Windows machine...

Thanks for any help.