1
response

Problem with NT AUTHORITY\СИСТЕМА in windows event log

Hello.

While reading log from windows, I got string with two encodings WIN-1251 and UTF-8:

like 2017-02-21 16:40:24 IT-73.domain.name INFO 44 NT AUTHORITY\҈Ғƌ�Центр обновления Windows начал скачивать обновление.

where all message in utf-8, and part with AccountName that (usually NT AUTHORITY\SYSTEM in english version of Windows 7) but in russian version its NT AUTHORITY\СИСТЕМА and in logs it looks like NT AUTHORITY\҈Ғƌ�

If I use 

AskedMarch 23, 2017 - 9:39am
6
responses

Problem with Windows Event

Hello,

nxlog CE v2.9.1504, Windows Server 2008 Enterprise

relevant part of config file:

AskedMarch 21, 2017 - 5:39pm
1
response

Forwarding events from Windows eventlog collector's "Forwarded Events" to Sumo

Hi All,

Checking to see if anyone has run into this.  I have a windows eventlog collector, with a subscription setup to move specific security audit events to the "Forwarded Events" log.  From there, I am looking to push those logs to Sumologic.  Unfortunately Sumo's collector does not handle this well due to the out of sequence EventRecordID of the various events coming from multiple desktops/servers we're collecting from.

Question:

AskedMarch 20, 2017 - 4:35pm
0
responses

regex to drop certain string from message

Hello All,

 

I am new to nxlog or rather logics in terms of regex and all. 

I am looking to drop any message which has *.*.*.255 in message field. I tried below , however it does not seem to be working for me:

 

Exec if $Message =~ /^([01][0-9][0-9]|2[0-4][0-9]|25[0-5]) . ^([01][0-9][0-9]|2[0-4][0-9]|25[0-5]) . ^([01][0-9][0-9]|2[0-4][0-9]|25[0-5]) . 255/  drop();

 

Please suggest

AskedMarch 20, 2017 - 2:46pm

Pages