Hi there, I'm having a little trouble trying to filter events with patterndb.xml I'm sending logs to our SIEM but despite the corresponding event ID's missing from patterndb they are still getting pushed. I think my configuration setup is over ruling the patterndb config. Can you please review? Thanks for your time. # # Configuration for converting and sending Windows logs # to AlienVault USM Anywhere. # # Version: 0.1.0 # Last modification: 2019-07-03 # define ROOT C:\Program Files (x86)\nxlog define OUTPUT_DESTINATION_ADDRESS x.x..x.xx define OUTPUT_DESTINATION_PORT 12346789 Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Module xm_json Module xm_syslog Module im_internal Module im_msvistalog Query \ \ *\ *\ *\ \ Exec if ($EventID == 5156) OR ($EventID == 5158) drop(); Module om_udp Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; Exec $Message = to_json(); to_syslog_bsd(); Path eventlog, internal => out ############################################################################ #### NXLOG WITH PATTERNDB ##### #### Uncomment the following lines for Windows Events filtered ##### ############################################################################ Module im_internal Module im_msvistalog Query \ \ *\ *\ *\ \ Module pm_pattern PatternFile %ROOT%\conf\patterndb.xml Module om_udp Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000000; Exec if not defined $PatternID or not defined $Message { drop(); } Exec $Message = to_json(); to_syslog_bsd(); Path eventlog_Pattern, internal_Pattern => match_events => out_Pattern ############################################################################ ##### /NXLOG WITH PATTERNDB ##### ############################################################################