Forgive my ignorance but I'm looking to use NX Log to capture all windows events under System, Application and Security whether they be Audit, Info, error or critical. Am I correct in my assumption that with no filter's it should collect everything? <Select Path='Application'></Select> <Select Path='Security'></Select> <Select Path='System'></Select> or do I need to specify on single lines each severity level? for example: <Select Path='Application'>[System/Level=4]</Select> <Select Path='Application'>[System/Level=3]</Select> <Select Path='Application'>[System/Level=2]</Select> and so on?

Hello everybody, I'm trying to filter Windows events log with severity/level only from warning to critical, so from level 1 to 3. Unfortunately, I tried several configurations, but the agent is still forwarding all the events. Like if there were no filters. My specifications are, Nxlog CE Agent (version 2.10.2102) on a Windows 10 64 bits build 1803 with this conf : Panic Soft define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'>*[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path='Security'>*[System[(Level=1)]]</Select> <Select Path='Setup'>*[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path='System'>*[System[(Level=1 or Level=2 or Level=3)]]</Select> </Query> </QueryList> </QueryXML> </Input> <Processor buffer> Module pm_buffer MaxSize 102400 Type disk </Processor> <Output out> Module om_tcp Host X.X.X.X Port 514 Exec to_syslog_snare(); </Output> <Route 1> Path eventlog => buffer => out </Route> Am I missing something? Did something change recently in the syntax? Thanks for your help. Best regards :)

Hello, I am using NXLOG to capture windows event viewer logs . I have below requirements (1) Forward Event ID 4624 events (2) Forward Event ID 4689 events only for a specific process name (say notepad.exe) . By default 4689 is common to many processes. Both of the above events are from "Security" category of Event Viewer. If i use below syntax, it does not work . I am guessing this is because i have repeated "Select Path = Security" twice with the same query ID. How can i configure both of the above filters together in my QUERY block ? Query <QueryList>\ <Query Id="0">\ <Select Path="Security">*[System[(EventID=4624]]</Select>\ <Select Path="Security">*[System[(EventID=4689)] and EventData[Data[@Name='ProcessName'] and (Data='')]]</Select>\ </Query>\ Do i need to define 2 separate QUERY blocks one with ID=0 & other with ID =1 like this ? Query <QueryList>\ <Query Id="0">\ <Select Path="Security">*[System[(EventID=4624]]</Select>\ <Query>\ <Query Id="1">\ <Select Path="Security">*[System[(EventID=4689)] and EventData[Data[@Name='ProcessName'] and (Data='C:\Windows\System32\notepad.exe')]]</Select>\ </Query>\

Hello, We are using NXLOG to forward our windows event viewer logs to our syslog server. On our Windows clients, we have enabled process auditing, so this logs 1000s of events for every process that gets launched and terminated. There is a common event ID - 4688 when a process gets created (launched) . If we launch 5 different programs/processes on the Windows client, this in turn creates 5 events each with the same event ID 4688 but the actual message in each event contains the name of the corresponding process or program that was launched. For example Event 4688 ... a process "cmd.exe" was launched Event 4688 ... a process "word.exe" was launched Event 4688 ... a process "notepad.exe" was launched Event 4688 ... a process "abc.exe" was launched Event 4688 ... a process "xyz.exe" was launched My requirement is to only forward those events that are coming from a particular process say "notepad.exe" & ignore the other processes even though each one of them has same EVENT ID. Hope i am clear. Below is a snippet of the "Input" module from my nxlog.conf . How can i customize or filter my below code to filter on the process name "notepad.exe" that i want instead of sending every event 4688. <Input in> Module im_msvistalog ReadFromLast True Query <QueryList>\ <Query Id="0">\ <Select Path="Security">*[System[(EventID=4688]]</Select>\ </Query>\ </QueryList> </Input>

When NXLog ships a Windows event, it appears to be changing the Windows original severity level, and replacing it with SeverityValue and Severity with different values.   What is the mapping of these values?  If Windows has severity values, with "Level" being 4 for Information, 3 for Warning, 2 for Error and 1 for Critical, what is the nxlog created SeverityValue?   Also, I couldn't find an explaination of why this value is changing.