NXLog search
Let's talk Start free
Let's talk Start free

Windows event filtering not working? Or something else

Tags: windows | events | filter
#1 DamnPeggy

Hello, I have recently been trying up a syslog-ng server for various devices and have tried a couple of things for sending Windows Events to the server.

Finally decieded that NXLog will do what I need and I have gotten sent some events over without much configuration, but when trying filter within the .conf file, it always fails. I can't really find much good information as to why it might be failing, as it seems that it should be correct.(to me anyway)

# Windows Event Log, 
<Input s_eventlog>
    Module im_msvistalog
    Exec if $EventID == 4734 or $EventID == 4624 drop(); 
    Exec $Message = to_json();
</Input>

I have narrowed it down to this block, since the log says

nxlog failed to start: </Input> without matching <Input> section at C:\Program Files (x86)\nxlog\conf\nxlog.conf:43

Which is where this block ends?

I can't really make sense of this, so if anyone has some guidance please tell me.

Permalink
#2 b0ti Nxlog ✓
#1 DamnPeggy
Hello, I have recently been trying up a syslog-ng server for various devices and have tried a couple of things for sending Windows Events to the server. Finally decieded that NXLog will do what I need and I have gotten sent some events over without much configuration, but when trying filter within the .conf file, it always fails. I can't really find much good information as to why it might be failing, as it seems that it should be correct.(to me anyway) # Windows Event Log, <Input s_eventlog> Module im_msvistalog Exec if $EventID == 4734 or $EventID == 4624 drop(); Exec $Message = to_json(); </Input> I have narrowed it down to this block, since the log says nxlog failed to start: </Input> without matching <Input> section at C:\Program Files (x86)\nxlog\conf\nxlog.conf:43 Which is where this block ends? I can't really make sense of this, so if anyone has some guidance please tell me.

The config snippet looks good, not sure what the problem might be. You might want to post the full config and upload it somewhere so that it is not copy-pasted.
Login to see more