Nxlog CE agent forwarding all Windows Events despite the query level filter

View thread

Olistra

Hello everybody, I'm trying to filter Windows events log with severity/level only from warning to critical, so from level 1 to 3.

Unfortunately, I tried several configurations, but the agent is still forwarding all the events. Like if there were no filters.

My specifications are, Nxlog CE Agent (version 2.10.2102) on a Windows 10 64 bits build 1803 with this conf :

   Panic Soft

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Input eventlog>
 Module im_msvistalog
<QueryXML>
	<QueryList>
		<Query Id='0'>
			<Select Path='Application'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
			<Select Path='Security'>*[System[(Level=1)]]</Select>
			<Select Path='Setup'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
			<Select Path='System'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
		</Query>
	</QueryList>
</QueryXML>
</Input>

<Processor buffer>
Module pm_buffer
MaxSize 102400
Type disk
</Processor>

<Output out>
    Module  om_tcp
    Host    X.X.X.X
    Port    514
	Exec 	to_syslog_snare();
</Output>

<Route 1>
 Path eventlog => buffer => out
</Route>

Am I missing something? Did something change recently in the syntax?

Thanks for your help.

Best regards :)