Nxlog CE agent forwarding all Windows Events despite the query level filter
Olistra
Hello everybody, I'm trying to filter Windows events log with severity/level only from warning to critical, so from level 1 to 3.
Unfortunately, I tried several configurations, but the agent is still forwarding all the events. Like if there were no filters.
My specifications are, Nxlog CE Agent (version 2.10.2102) on a Windows 10 64 bits build 1803 with this conf :
Panic Soft
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
<Input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='Application'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path='Security'>*[System[(Level=1)]]</Select>
<Select Path='Setup'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path='System'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Processor buffer>
Module pm_buffer
MaxSize 102400
Type disk
</Processor>
<Output out>
Module om_tcp
Host X.X.X.X
Port 514
Exec to_syslog_snare();
</Output>
<Route 1>
Path eventlog => buffer => out
</Route>
Am I missing something? Did something change recently in the syntax?
Thanks for your help.
Best regards :)
