Collecting Event Viewer Logs (msvistalog), but oddly fails with error
Tags:
msvistalog
#1
Pervon
I've amassed a number of EventIDs I think I want to monitor on my Win10 host. However, the error I'm receiving is:
.\nxlog.exe -v
INFO configuration OK
.\nxlog.exe -f
INFO nxlog-ce-2.10.2150 started
ERROR failed to subscribe to msvistalog events using bookmark: the specified query is invalid.
ERROR failed to subscribe to msvistalog events, the Query is invalid: This operator is unsupported by this implementaiton of the filter.; [error code: 15001]
The weird part is, when I remove multiple lines it works. However, when I test each line individually, it works. I assume there is a conflict between them (e.g. duplicate eventIDs). Below is the configuration and associated examples
Complete but fails .conf
#NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGFILE%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension gelf>
Module xm_gelf
<Extension>
<input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='Security'>
(EventID=550) or
(EventID=612) or
(EventID=801) or
(EventID=1102) or
(EventID=1104) or
(EventID=1108) or
(EventID=4608) or
(EventID=4616) or
((EventID=4624) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) or
((EventID=4625) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) or
((EventID=4634) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10))) or
((EventID=4648) and (TargetDomainName="domain.net")) or
(EventID=4649) or
((EventID=4688) and (SubjectUserSid="/^S-1-5-21")) or
((EventID=4697) and ((ServiceName!="/^BluetoothUserService") and (ServiceName!="/^Vmware"))) or
((EventID=4698) and (SubjectUserSid="/^S-1-5-21")) or
(EventID=4699) or
(EventID=4704) or
(EventID=4717) or
(EventID=4719) or
(EventID=4720) or
(EventID=4726) or
(EventID=4740) or
(EventID=4765) or
(EventID=4766) or
(EventID=4794) or
(EventID=4897) or
(EventID=4946) or
(EventID=4948) or
(EventID=4950) or
(EventID=4964) or
(EventID=5024) or
(EventID=5025) or
(EventID=5030) or
(EventID=5124) or
((EventID=5140) and (ShareName!="\\*C$")) or
((EventID=5142) and ((ShareName!="\\*C$") or (ShareName!="\\*\ADMINISTRATOR$"))) or
(EventID=5148) or
(EventID=5149) or
(EventID=5154) or
(EventID=5155) or
(EventID=5156) or
(EventID=5157) or
(EventID=5158) or
(EventID=5159) or
(EventID=5376) or
(EventID=5379)
</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Output graylog>
Module om_udp
Host 192.168.1.1
Port 55555
OutputType GELF_UDP
</Output>
<Route toGraylog>
Path eventlog => graylog
</Route>
Cut out from above. Succeeds:
<input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='Security'>
(EventID=550) or
(EventID=612) or
(EventID=801) or
(EventID=1102) or
(EventID=1104) or
(EventID=1108) or
(EventID=4608) or
(EventID=4616) or
((EventID=4624) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11)))
((EventID=4625) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11)))
((EventID=4634) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10)))
((EventID=4648) and (TargetDomainName="domain.net")) or
(EventID=4649) or
((EventID=4688) and (SubjectUserSid="/^S-1-5-21")) or
((EventID=4697) and ((ServiceName!="/^BluetoothUserService") and (ServiceName!="/^Vmware"))) or
((EventID=4698) and (SubjectUserSid="/^S-1-5-21")) or
(EventID=4699) or
(EventID=4704) or
(EventID=4717) or
(EventID=4719) or
(EventID=4720) or
(EventID=4726) or
(EventID=4740) or
(EventID=4765) or
(EventID=4766) or
(EventID=4794) or
(EventID=4897) or
(EventID=4946) or
(EventID=4948) or
(EventID=4950) or
(EventID=4964) or
(EventID=5024) or
(EventID=5025) or
(EventID=5030) or
(EventID=5124) or
((EventID=5140) and (ShareName!="\\*C$")) or
((EventID=5142) and ((ShareName!="\\*C$") or (ShareName!="\\*\ADMINISTRATOR$"))) or
(EventID=5148) or
(EventID=5149) or
(EventID=5154) or
(EventID=5155) or
(EventID=5156) or
(EventID=5157) or
(EventID=5158) or
(EventID=5159) or
(EventID=5376) or
(EventID=5379)
</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
Fails:
(EventID=4699) or
(EventID=4704) or
(EventID=4717) or
(EventID=4719) or
(EventID=4720) or
(EventID=4726) or
(EventID=4740) or
(EventID=4765) or
(EventID=4766) or
(EventID=4794) or
(EventID=4897) or
(EventID=4946) or
(EventID=4948) or
(EventID=4950) or
(EventID=4964) or
(EventID=5024) or
(EventID=5025) or
(EventID=5030) or
(EventID=5124) or
(EventID=5148) or
(EventID=5149) or
(EventID=5154) or
(EventID=5155) or
(EventID=5156) or
(EventID=5157) or
(EventID=5158) or
(EventID=5159) or
(EventID=5376) or
(EventID=5379)
Succeeds (Removed bottom 5):
(EventID=4699) or
(EventID=4704) or
(EventID=4717) or
(EventID=4719) or
(EventID=4720) or
(EventID=4726) or
(EventID=4740) or
(EventID=4765) or
(EventID=4766) or
(EventID=4794) or
(EventID=4897) or
(EventID=4946) or
(EventID=4948) or
(EventID=4950) or
(EventID=4964) or
(EventID=5024) or
(EventID=5025) or
(EventID=5030) or
(EventID=5124) or
(EventID=5148) or
(EventID=5149) or
(EventID=5154) or
(EventID=5155) or
(EventID=5156)
Succeeds (Added bottom 5 back and removed top 5):
(EventID=4726) or
(EventID=4740) or
(EventID=4765) or
(EventID=4766) or
(EventID=4794) or
(EventID=4897) or
(EventID=4946) or
(EventID=4948) or
(EventID=4950) or
(EventID=4964) or
(EventID=5024) or
(EventID=5025) or
(EventID=5030) or
(EventID=5124) or
(EventID=5148) or
(EventID=5149) or
(EventID=5154) or
(EventID=5155) or
(EventID=5156) or
(EventID=5157) or
(EventID=5158) or
(EventID=5159) or
(EventID=5376) or
(EventID=5379)
Thank you!
#1
Pervon
I've amassed a number of EventIDs I think I want to monitor on my Win10 host. However, the error I'm receiving is:
.\nxlog.exe -v
INFO configuration OK
.\nxlog.exe -f
INFO nxlog-ce-2.10.2150 started
ERROR failed to subscribe to msvistalog events using bookmark: the specified query is invalid.
ERROR failed to subscribe to msvistalog events, the Query is invalid: This operator is unsupported by this implementaiton of the filter.; [error code: 15001]
The weird part is, when I remove multiple lines it works. However, when I test each line individually, it works. I assume there is a conflict between them (e.g. duplicate eventIDs). Below is the configuration and associated examples
Complete but fails .conf
#NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGFILE%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension gelf>
Module xm_gelf
<Extension>
<input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='Security'>
(EventID=550) or
(EventID=612) or
(EventID=801) or
(EventID=1102) or
(EventID=1104) or
(EventID=1108) or
(EventID=4608) or
(EventID=4616) or
((EventID=4624) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) or
((EventID=4625) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) or
((EventID=4634) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10))) or
((EventID=4648) and (TargetDomainName="domain.net")) or
(EventID=4649) or
((EventID=4688) and (SubjectUserSid="/^S-1-5-21")) or
((EventID=4697) and ((ServiceName!="/^BluetoothUserService") and (ServiceName!="/^Vmware"))) or
((EventID=4698) and (SubjectUserSid="/^S-1-5-21")) or
(EventID=4699) or
(EventID=4704) or
(EventID=4717) or
(EventID=4719) or
(EventID=4720) or
(EventID=4726) or
(EventID=4740) or
(EventID=4765) or
(EventID=4766) or
(EventID=4794) or
(EventID=4897) or
(EventID=4946) or
(EventID=4948) or
(EventID=4950) or
(EventID=4964) or
(EventID=5024) or
(EventID=5025) or
(EventID=5030) or
(EventID=5124) or
((EventID=5140) and (ShareName!="\\*C$")) or
((EventID=5142) and ((ShareName!="\\*C$") or (ShareName!="\\*\ADMINISTRATOR$"))) or
(EventID=5148) or
(EventID=5149) or
(EventID=5154) or
(EventID=5155) or
(EventID=5156) or
(EventID=5157) or
(EventID=5158) or
(EventID=5159) or
(EventID=5376) or
(EventID=5379)
</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Output graylog>
Module om_udp
Host 192.168.1.1
Port 55555
OutputType GELF_UDP
</Output>
<Route toGraylog>
Path eventlog => graylog
</Route>
Cut out from above. Succeeds:
<input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='Security'>
(EventID=550) or
(EventID=612) or
(EventID=801) or
(EventID=1102) or
(EventID=1104) or
(EventID=1108) or
(EventID=4608) or
(EventID=4616) or
((EventID=4624) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11)))
((EventID=4625) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11)))
((EventID=4634) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10)))
((EventID=4648) and (TargetDomainName="domain.net")) or
(EventID=4649) or
((EventID=4688) and (SubjectUserSid="/^S-1-5-21")) or
((EventID=4697) and ((ServiceName!="/^BluetoothUserService") and (ServiceName!="/^Vmware"))) or
((EventID=4698) and (SubjectUserSid="/^S-1-5-21")) or
(EventID=4699) or
(EventID=4704) or
(EventID=4717) or
(EventID=4719) or
(EventID=4720) or
(EventID=4726) or
(EventID=4740) or
(EventID=4765) or
(EventID=4766) or
(EventID=4794) or
(EventID=4897) or
(EventID=4946) or
(EventID=4948) or
(EventID=4950) or
(EventID=4964) or
(EventID=5024) or
(EventID=5025) or
(EventID=5030) or
(EventID=5124) or
((EventID=5140) and (ShareName!="\\*C$")) or
((EventID=5142) and ((ShareName!="\\*C$") or (ShareName!="\\*\ADMINISTRATOR$"))) or
(EventID=5148) or
(EventID=5149) or
(EventID=5154) or
(EventID=5155) or
(EventID=5156) or
(EventID=5157) or
(EventID=5158) or
(EventID=5159) or
(EventID=5376) or
(EventID=5379)
</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
Fails:
(EventID=4699) or
(EventID=4704) or
(EventID=4717) or
(EventID=4719) or
(EventID=4720) or
(EventID=4726) or
(EventID=4740) or
(EventID=4765) or
(EventID=4766) or
(EventID=4794) or
(EventID=4897) or
(EventID=4946) or
(EventID=4948) or
(EventID=4950) or
(EventID=4964) or
(EventID=5024) or
(EventID=5025) or
(EventID=5030) or
(EventID=5124) or
(EventID=5148) or
(EventID=5149) or
(EventID=5154) or
(EventID=5155) or
(EventID=5156) or
(EventID=5157) or
(EventID=5158) or
(EventID=5159) or
(EventID=5376) or
(EventID=5379)
Succeeds (Removed bottom 5):
(EventID=4699) or
(EventID=4704) or
(EventID=4717) or
(EventID=4719) or
(EventID=4720) or
(EventID=4726) or
(EventID=4740) or
(EventID=4765) or
(EventID=4766) or
(EventID=4794) or
(EventID=4897) or
(EventID=4946) or
(EventID=4948) or
(EventID=4950) or
(EventID=4964) or
(EventID=5024) or
(EventID=5025) or
(EventID=5030) or
(EventID=5124) or
(EventID=5148) or
(EventID=5149) or
(EventID=5154) or
(EventID=5155) or
(EventID=5156)
Succeeds (Added bottom 5 back and removed top 5):
(EventID=4726) or
(EventID=4740) or
(EventID=4765) or
(EventID=4766) or
(EventID=4794) or
(EventID=4897) or
(EventID=4946) or
(EventID=4948) or
(EventID=4950) or
(EventID=4964) or
(EventID=5024) or
(EventID=5025) or
(EventID=5030) or
(EventID=5124) or
(EventID=5148) or
(EventID=5149) or
(EventID=5154) or
(EventID=5155) or
(EventID=5156) or
(EventID=5157) or
(EventID=5158) or
(EventID=5159) or
(EventID=5376) or
(EventID=5379)
Thank you!
The XPath within QueryXML is passed to the EventLog API as-is, and the error message also comes from MS code. We believe there is a length limitation for the XPath query.
See the Filtering Events section for more information about this.
