Collecting Event Viewer Logs (msvistalog), but oddly fails with error

View thread

Pervon

I've amassed a number of EventIDs I think I want to monitor on my Win10 host. However, the error I'm receiving is:

    .\nxlog.exe -v
    
    INFO configuration OK
    .\nxlog.exe -f
    
     INFO nxlog-ce-2.10.2150 started
     ERROR failed to subscribe to msvistalog events using bookmark: the specified query is invalid.
     ERROR failed to subscribe to msvistalog events, the Query is invalid: This operator is unsupported by this implementaiton of the filter.; [error code: 15001]

The weird part is, when I remove multiple lines it works. However, when I test each line individually, it works. I assume there is a conflict between them (e.g. duplicate eventIDs). Below is the configuration and associated examples

Complete but fails .conf


    #NoFreeOnExit TRUE
    
    define ROOT	C:\Program Files (x86)\nxlog
    define CERTDIR	%ROOT%\cert
    define CONFDIR 	%ROOT%\conf
    define LOGDIR	%ROOT%\data
    define LOGFILE 	%LOGFILE%\nxlog.log
    LogFile %LOGFILE%
    
    Moduledir 	%ROOT%\modules
    CacheDir  	%ROOT%\data
    Pidfile		%ROOT%\data\nxlog.pid
    SpoolDir	%ROOT%\data
    
    <Extension gelf>
    	Module xm_gelf
    <Extension>
    
    <input eventlog>
    	Module im_msvistalog
    	<QueryXML>
    		<QueryList>
    			<Query Id='0'>
    				<Select Path='Security'>
    					(EventID=550) or
    					(EventID=612) or
    					(EventID=801) or
    					(EventID=1102) or
    					(EventID=1104) or
    					(EventID=1108) or
    					(EventID=4608) or
    					(EventID=4616) or
    					((EventID=4624) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) or
    					((EventID=4625) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) or
    					((EventID=4634) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10))) or
    					((EventID=4648) and (TargetDomainName="domain.net")) or
    					(EventID=4649) or
    					((EventID=4688) and (SubjectUserSid="/^S-1-5-21")) or
    					((EventID=4697) and ((ServiceName!="/^BluetoothUserService") and (ServiceName!="/^Vmware"))) or
    					((EventID=4698) and (SubjectUserSid="/^S-1-5-21")) or
    					(EventID=4699) or
    					(EventID=4704) or
    					(EventID=4717) or
    					(EventID=4719) or
    					(EventID=4720) or
    					(EventID=4726) or
    					(EventID=4740) or
    					(EventID=4765) or
    					(EventID=4766) or
    					(EventID=4794) or
    					(EventID=4897) or
    					(EventID=4946) or
    					(EventID=4948) or
    					(EventID=4950) or
    					(EventID=4964) or
    					(EventID=5024) or
    					(EventID=5025) or
    					(EventID=5030) or
    					(EventID=5124) or
    					((EventID=5140) and (ShareName!="\\*C$")) or
    					((EventID=5142) and ((ShareName!="\\*C$") or (ShareName!="\\*\ADMINISTRATOR$"))) or
    					(EventID=5148) or
    					(EventID=5149) or
    					(EventID=5154) or
    					(EventID=5155) or
    					(EventID=5156) or
    					(EventID=5157) or
    					(EventID=5158) or
    					(EventID=5159) or
    					(EventID=5376) or
    					(EventID=5379)
    				</Select>
    			</Query>
    		</QueryList>
    	</QueryXML>
    </Input>
    
    <Output graylog>
    	Module om_udp
    	Host 192.168.1.1
    	Port 55555
    	OutputType GELF_UDP
    </Output>
    
    <Route toGraylog>
    	Path eventlog => graylog
    </Route>

Cut out from above. Succeeds:

    <input eventlog>
    	Module im_msvistalog
    	<QueryXML>
    		<QueryList>
    			<Query Id='0'>
    				<Select Path='Security'>
    					(EventID=550) or
    					(EventID=612) or
    					(EventID=801) or
    					(EventID=1102) or
    					(EventID=1104) or
    					(EventID=1108) or
    					(EventID=4608) or
    					(EventID=4616) or
    					((EventID=4624) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11)))
    					((EventID=4625) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11)))
    					((EventID=4634) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10)))
    					((EventID=4648) and (TargetDomainName="domain.net")) or
    					(EventID=4649) or
    					((EventID=4688) and (SubjectUserSid="/^S-1-5-21")) or
    					((EventID=4697) and ((ServiceName!="/^BluetoothUserService") and (ServiceName!="/^Vmware"))) or
    					((EventID=4698) and (SubjectUserSid="/^S-1-5-21")) or
    					(EventID=4699) or
    					(EventID=4704) or
    					(EventID=4717) or
    					(EventID=4719) or
    					(EventID=4720) or
    					(EventID=4726) or
    					(EventID=4740) or
    					(EventID=4765) or
    					(EventID=4766) or
    					(EventID=4794) or
    					(EventID=4897) or
    					(EventID=4946) or
    					(EventID=4948) or
    					(EventID=4950) or
    					(EventID=4964) or
    					(EventID=5024) or
    					(EventID=5025) or
    					(EventID=5030) or
    					(EventID=5124) or
    					((EventID=5140) and (ShareName!="\\*C$")) or
    					((EventID=5142) and ((ShareName!="\\*C$") or (ShareName!="\\*\ADMINISTRATOR$"))) or
    					(EventID=5148) or
    					(EventID=5149) or
    					(EventID=5154) or
    					(EventID=5155) or
    					(EventID=5156) or
    					(EventID=5157) or
    					(EventID=5158) or
    					(EventID=5159) or
    					(EventID=5376) or
    					(EventID=5379)
    				</Select>
    			</Query>
    		</QueryList>
    	</QueryXML>
    </Input>

Fails:

    (EventID=4699) or
    (EventID=4704) or
    (EventID=4717) or
    (EventID=4719) or
    (EventID=4720) or
    (EventID=4726) or
    (EventID=4740) or
    (EventID=4765) or
    (EventID=4766) or
    (EventID=4794) or
    (EventID=4897) or
    (EventID=4946) or
    (EventID=4948) or
    (EventID=4950) or
    (EventID=4964) or
    (EventID=5024) or
    (EventID=5025) or
    (EventID=5030) or
    (EventID=5124) or
    (EventID=5148) or
    (EventID=5149) or
    (EventID=5154) or
    (EventID=5155) or
    (EventID=5156) or
    (EventID=5157) or
    (EventID=5158) or
    (EventID=5159) or
    (EventID=5376) or
    (EventID=5379)

Succeeds (Removed bottom 5):

    (EventID=4699) or
    (EventID=4704) or
    (EventID=4717) or
    (EventID=4719) or
    (EventID=4720) or
    (EventID=4726) or
    (EventID=4740) or
    (EventID=4765) or
    (EventID=4766) or
    (EventID=4794) or
    (EventID=4897) or
    (EventID=4946) or
    (EventID=4948) or
    (EventID=4950) or
    (EventID=4964) or
    (EventID=5024) or
    (EventID=5025) or
    (EventID=5030) or
    (EventID=5124) or
    (EventID=5148) or
    (EventID=5149) or
    (EventID=5154) or
    (EventID=5155) or
    (EventID=5156)

Succeeds (Added bottom 5 back and removed top 5):

    (EventID=4726) or
    (EventID=4740) or
    (EventID=4765) or
    (EventID=4766) or
    (EventID=4794) or
    (EventID=4897) or
    (EventID=4946) or
    (EventID=4948) or
    (EventID=4950) or
    (EventID=4964) or
    (EventID=5024) or
    (EventID=5025) or
    (EventID=5030) or
    (EventID=5124) or
    (EventID=5148) or
    (EventID=5149) or
    (EventID=5154) or
    (EventID=5155) or
    (EventID=5156) or
    (EventID=5157) or
    (EventID=5158) or
    (EventID=5159) or
    (EventID=5376) or
    (EventID=5379)

Thank you!