Let's Talk
Let's Talk

PatternDB errors for Windows 2003

View thread
jaredtully

Hi there, a little bit of a novice here. Hope you dont mind pointing me in the right direction.

I’m having some difficulty getting the configuration for using patternDB on windows 2003 servers, the configuration works for windows 2008+

The logs I have are as follows:

2020-02-05 13:48:32 ERROR invalid keyword: Query at C:\Program Files\nxlog\conf\nxlog.conf:40
2020-02-05 13:48:32 ERROR invalid keyword: Query at C:\Program Files\nxlog\conf\nxlog.conf:76
2020-02-05 13:48:32 ERROR module 'eventlog' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:57
2020-02-05 13:48:32 ERROR module 'eventlog_Pattern' has configuration errors, not adding to route 'route_Pattern' at C:\Program Files\nxlog\conf\nxlog.conf:94
2020-02-05 13:48:32 WARNING not starting unused module eventlog
2020-02-05 13:48:32 WARNING not starting unused module eventlog_Pattern
2020-02-05 13:48:32 INFO nxlog-ce-2.10.2150 started

The section of conf is:

############################################################################
####                      NXLOG WITH PATTERNDB                         #####
####    Uncomment the following lines for Windows Events filtered      #####
############################################################################

<Input internal_Pattern>
    Module      im_internal
</Input>

<Input eventlog_Pattern>
    Module      im_msvistalog
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                        <Select Path="Security">*</Select>\
                    </Query>\
                </QueryList>
</Input>

<Processor match_events>
     Module          pm_pattern
     PatternFile     %ROOT%\conf\patterndb.xml
</Processor>

<Output out_Pattern>
    Module      om_udp
    Host        %OUTPUT_DESTINATION_ADDRESS%
    Port        %OUTPUT_DESTINATION_PORT%
    Exec        $EventTime = integer($EventTime) / 1000000;
    Exec        if not defined $PatternID or not defined $Message { drop(); }
    Exec        $Message = to_json(); to_syslog_bsd();
</Output>

<Route route_Pattern>
    Path 	eventlog_Pattern, internal_Pattern => match_events => out_Pattern
</Route>

############################################################################
#####                     /NXLOG WITH PATTERNDB                        #####
############################################################################

Thanks for reading. Please let me know if any more information needs to be included.