Hey All, Has anyone successfully configured NXLog/Alienvault for reading Oracle Audit Log files? Our issue is this, NXLog successfully reads and sends it over to Alienvault where it goes to the AV log file there using the plugin oracle-nxlog.cfg. However, it does not show up in the Alienvault user interface. Also, I realized this is more of an Alienvault question, but there online docs are pretty scarce for this topic and I thought one of you folks may have had success in doing this. Thanks! kel

I've created a folder in my local machine were I have admin privileges, however when I send an output to the created folder I always get the following error message "ERROR failed to open C:\location path of the folder\Test_folder; Access is denied. " Please the below: <Output om_api> Module om_file File "C:\location path of the folder\Test_folder" </Output> I've reviewed my folder permissions and I can confirm I've got full access. I've run out of things to check, please help :(

Hello everyone! I would like to Delete EventTime Field from BIND log and not send it to remote SIEM Server Here is a log example: 11-mai-2021 00:27:48.084 queries: info: client @0x7f82bc11d4e0 10.80.0.1#53995 (google.com): query: google.com IN A +E(0) (10.80.1.88) Unfortunately, it seems that i'm doing something wrong because "11-mai-2021 00:27:48.084" still persist in log Here is my config: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Input in1> Module im_file File 'C:\NXLOGTEST\fileTEST.log' &lt;Exec&gt; # 2. Parse BIND 9 metadata if $Message =~ /(?x)^(?&lt;EventTime&gt;\S+\s\S+)\s(?&lt;Category&gt;\S+):\s (?&lt;BINDSeverity&gt;[^:]+):\s(?&lt;Message&gt;.+)$/i { I TRIED ALSO LIKE THIS delete($EventTime); # 3. Parse messages from the queries category if $Category == &quot;queries&quot; { $Message =~ /(?x)^client\s((?&lt;ClientID&gt;\S+)\s)?(?&lt;Client&gt;\S+)\s \((?&lt;OriginalQuery&gt;\S+)\):\squery:\s (?&lt;QueryName&gt;\S+)\s(?&lt;QueryClass&gt;\S+)\s (?&lt;QueryType&gt;\S+)\s(?&lt;QueryFlags&gt;\S+)\s \((?&lt;LocalAddress&gt;\S+)\)$/; } } &lt;/Exec&gt; #NOW I HAVE IT CONFIGURED LIKE THIS Exec delete($EventTime); </Input> <Output out1> Module om_udp Host 192.168.0.227 Port 514 </Output> <Route r1> Path in1 => out1 </Route> nxlog.log shows no errors, only this line after starting: 2021-05-11 19:57:20 INFO nxlog-ce-2.10.2150 started Can anyone help me investigate?

Default Payload from Source Host: <134>1 1515988859.626061236 appliance flows src=172.21.84.107 dst=10.52.193.137 mac=5C:E0:C5:22:85:E4 protocol=tcp sport=50395 dport=443 pattern: allow all Payload Generated by NXLog Server: <134>May 7 15:18:02 10.101.100.193 1515988859.626061236 appliance flows src=172.21.84.107 dst=10.52.193.137 mac=5C:E0:C5:22:85:E4 protocol=tcp sport=50395 dport=443 pattern: allow all Hi, I have a source machine which is sending logs to NXLog server and NXlog server forward the logs to QRadar. But the payload seems to be different on NXLog Server and QRadar. Timestamp is being added additionally by NXLog server and forwarded to QRadar. Is there a way to make change on the NXLOg server to forward the default log to QRadar.

Here is the default nxlogs looks like, but I would need the logs as below. Do you know what needs to be done? 2021-05-07 19:30:15 INFO nxlog-4.2.4216 started 2021-05-07 19:30:15 ERROR couldn't bind tcp socket to 0.0.0.0:514;Address already in use 2021-05-07 19:30:19 INFO successfully connected to agent manager at nxlogmgr.amgen.com:4041 in SSL mode May 7 19:29:38 (HOSTNAME) INFO nxlog-4.2.4216 started May 7 19:29:38 (HOSTNAME) ERROR couldn't bind tcp socket to 0.0.0.0:514;Address already in use May 7 19:29:38 (HOSTNAME) INFO successfully connected to agent manager at nxlogmgr.amgen.com:4041 in SSL mode (or) 2021-05-07 19:30:15 (HOSTNAME) INFO nxlog-4.2.4216 started 2021-05-07 19:30:15 (HOSTNAME) ERROR couldn't bind tcp socket to 0.0.0.0:514;Address already in use 2021-05-07 19:30:19 (HOSTNAME) INFO successfully connected to agent manager at nxlogmgr.amgen.com:4041 in SSL mode

Hi All, I'm currently trying to ingest some XML files into our SIEM platform (outputting to a local file at the moment for testing), and am having some issues reading files from a large directory. The application we're ingesting log files from creates a folder structure and a single XML file per log entry. Example path: "F:\PSP Logs{4D2D2D9D-5379-4BDF-A331-0AF51BA015ED}\2021\05\06\13\File.xml" I've written the below config and it works fine if you take an existing XML file and append a new line to it, however if we drop a new XML file into the directory structure, it does not pick up the file. Any idea's on where we might be going wrong? Note: We have tried with SavePOS and ReadFromLast on both True and False, and tried both older XML files and newly created ones. Panic Soft define INSTALLDIR C:\Program Files\nxlog #ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d Note that these two lines define constants only; the log file location is ultimately set by the LogFile directive (see below). The MYLOGFILE define is also used to rotate the log file automatically (see the _fileop block). define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log If you are not using NXLog Manager, disable the include line and enable LogLevel and LogFile. include %CONFDIR%*.conf LogLevel INFO #LogFile %MYLOGFILE% <Extension _syslog> Module xm_syslog </Extension> This block rotates %MYLOGFILE% on a schedule. Note that if LogFile is changed in managed.conf via NXLog Manager, rotation of the new file should also be configured there. <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour &lt;Exec&gt; if ( file_exists('%MYLOGFILE%') and (file_size('%MYLOGFILE%') &gt;= 5M) ) { file_cycle('%MYLOGFILE%', 8); } &lt;/Exec&gt; &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8); &lt;/Schedule&gt; </Extension> <Extension xm_xml> Module xm_xml </Extension> <Extension xm_json> module xm_json </Extension> <Input MFiles> Module im_file File "F:\PSP Logs\{4D2D2D9D-5379-4BDF-A331-0AF51BA015ED}\2021\05\*.xml" ##InputType linebased SavePos FALSE readfromlast FALSE Recursive TRUE <Exec> parse_xml(); to_json(); log_info('Successful Message Output'); &lt;/Exec&gt; </Input> <Output local_file> module om_file file "C:\test\XML Test Output\Output.txt" </Output> <Route local> Path MFiles => local_file </Route>

My applications are running in windows server, one of the app log i wanted to parse to an another format, when i check nxlog has the feature. I am new to nxlog, so thought to understand the working flow of nxlog. I didnt get any. I am getting the articles for windows event log parsing, Can someone help me how to parse that or can share any article regarding. Thanks in advance. Regards, Dhamodharan.

Hi Am trying to send the file seperated with commas as below "33,adasdad,null,03May2021,notification,SG,null,null" In nxlog.conf ---> i wrote <Extension log> Module xm_multiline HeaderLine /^<event>/ EndLine /^</\event>/ </Extension> <Input apptype> Module im_file File "testlog.log" <Exec> $message = $raw_event; to_json; </Exec> </Input> <Output out> Module om_tcp Host localhost:port# Exec to_json(); </Output> My logstash confgurariotn input{ tcp { port => "port# codec => multiline{ pattern => "^[%{TIMESTAMP_ISO8601}]" negate => true what => "previous" } } } filter {} output { stdout {codec =>rubydebug} } Output am gettingis as attached { "@timestamp" => "2021-05-03T09:47:14.575Z", "message" => ""33,adasdad,null,03May2021,notification,SG,null,null", "@version" => "1", "tags" => [ [0] "multiline", [1] "multiline_codec_max_lines_reached" ], "host" => "<localhost>", "port" => <port#>, "EventReceivedTime" => "2021-05-03T17:47:14.472325+08:00", "SourceModuleName" => "<apptype>", "SourceModuleType" => "im_file", }

hi Am trying to install and run nxlog in different directory other than /opt like <muser>/opt/nxlog Read through the https://nxlog.co/documentation/nxlog-user-guide/relocating.html link. Did the changes in nxlog.conf But one of steps in the above link shows to modify rpath Tried with command given in the link. As am trying in AIX server , chrpath and patchelf are not working Tried as below as well db2chglibpath --search=<oldpath> --replace=<newpath> <folderwith/myuserfolder/opt/nxlog/lib Which showed command doesnt exists Please get me solve this issue.

We are testing nxlog for syslog forwarder for replacment of windows own provided forwarder EvtSys. We are getting logs at syslog server, but see many special characters and such such #015, #012, #011 in multiple places in log. Below is configuration of .conf file <Input in> Module im_msvistalog </Input> <Output out> Module om_udp Host ...* Port 514 </Output> #################### ROUTE ########### <Route r2> Path in => out </Route> Can you please guide us how to resolve it. I am hereby providing Log snippet of both EvtSys generated log and nxlog generated log Sample Log snippet generated by Windows syslog forwarder EvtSys Apr 22 09:01:03 WindowsHostMachine Security-Auditing: 4624: AUDIT_SUCCESS An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WindowsHostMachine$ Account Domain: TEST Logon ID: 0x3E7 Logon Type: 10 Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3128912327-2939948577-25280133-5861 Sample Log snippet generated by nxlog Apr 20 12:41:55 2021-04-20 12: 41:29 WindowsHostMachine AUDIT_SUCCESS 4624 An account was successfully logged on.#015#012#015#012Subject:#015#012#011Security ID:#011#011S-1-0-0#015#012#011Account Name:#011#011-#015#012#011Account Domain:#011#011-#015#012#011Logon ID:#011#0110x0#015#012#015#012Logon Type:#011#011#0113#015#012#015#012Impersonation Level:#011#011Impersonation#015#012#015#012New Logon:#015#012#011Security ID:#011#011S-1-5-21-3128912327-2939948577-25280133-30353#015#012#011

Hello! Testing WEC on Linux. The uid_to_name () function in the xm_resolver module returns null. How can this problem be solved?

In the NXLog User Guide (https://nxlog.co/documentation/nxlog-user-guide/pm_hmac.html) I read the pm_hmac module is deprecated and will be removed in future releases. I need to implement an hash chaining log flow, how can I do without that module in future? Thank you

Hi, I would like to send logs of nxlog.log to an external SIEM. Here are the sample log file but I need hostname added as prefix to each log file as shown below. Is there a way we can use rsyslog or nxlog.conf file to do ot? Before 2021-04-28 17:18:36 INFO connecting to agent manager at nxlogmgr.amgen.com:4041 2021-04-28 17:19:06 INFO reconnecting to agent manager (nxlogmgr.amgen.com) in 128 seconds 2021-04-28 17:19:06 ERROR couldn't connect to agent manager's SSL socket on nxlogmgr.amgen.com:40 After Apr 28 17:23:36 Hostname bash[XXXXX]: INFO connecting to agent manager at nxlogmgr.amgen.com:4041 Apr 28 17:23:36 Hostname bash[XXXXX]: INFO reconnecting to agent manager (nxlogmgr.amgen.com) in 128 seconds Apr 28 17:23:36 Hostname bash[XXXXX]: ERROR couldn't connect to agent manager's SSL socket on nxlogmgr.amgen.com:40

Hi,everyone. I would appreciate if you could give me useful tips to clarify problem and collect event log (ID 4624) on the NX Log. FYI, the configuration file is pasted below, as something may be wrong with a part of it. IP address and port No. in the config, file were replaced intentionally. <Background> -Event logs such as ID 4624 and 4634 has been output to Security.evtx. -Security log has been sent to Log Collection Sever by NxLog. <Input In_MSEventlogs> Module im_msvistalog Query <QueryList> <Query Id="0"> <Select Path="Application"></Select> <Select Path="System"></Select> <Select Path="Security">*</Select> </Query> </QueryList> </Input> -Currently, a part of windows event log (ID 4624) has not been sent to the windows log collection server, while event log (ID 4634) has been sent. -- nxlog.conf -- This is a sample configuration file. See the nxlog reference manual about the configuration options. It should be installed locally and is also available online at http://nxlog.org/docs/ Please set the ROOT to the folder your nxlog was installed into, otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension charconv> Module xm_charconv AutodetectCharsets UTF-8, UCS-2LE </Extension> Load the json extension <Extension json> Module xm_json </Extension> <Input msdns> Module im_file File "C:\Windows\Sysnative\dns\dns.log" ReadFromLast False SavePos False Exec $FileName = file_name(); Exec $Hostname = hostname_fqdn(); Exec $raw_event = "NXLOG|" + $Hostname + "|OFFBOX-MSDNS-TO-LCP|" + $FileName + "::::" + $raw_event; </Input> Send the read log lines out to nxlog server <Output out-msdns> Module om_tcp Host IP address of the Log server Port DNS OutputType LineBased </Output> Build the route from nxlog on Windows to nxlog on server <Extension _syslog> Module xm_syslog </Extension> <Input In_PowerShell> Module im_msvistalog Query <QueryList> <Query Id="0"> <Select Path="Windows PowerShell"></Select> <Select Path="Microsoft-Windows-PowerShell/Operational"></Select> </Query> </QueryList> For windows 2003 and earlier use the following: Module im_mseventlog </Input> <Input In_MSEventlogs> Module im_msvistalog Exec if ($EventID == 5156) drop(); Query <QueryList> <Query Id="0"> <Select Path="Application"></Select> <Select Path="System"></Select> <Select Path="Security">*</Select> </Query> </QueryList> </Input> <Output Out_MSEventlogs> Module om_udp Host IP address of the Log server Port WEL Exec to_syslog_snare(); </Output> <Output Out_PowerShell> Module om_udp Host IP address of the Log server Port PS Exec to_syslog_snare(); Exec $raw_event = replace($raw_event, "MSWinEventLog", "PowerShell"); </Output> <Route 1> Path msdns => out-msdns </Route> <Route 2> Path In_PowerShell => Out_PowerShell </Route> <Route 3> Path In_MSEventlogs => Out_MSEventlogs </Route>

2021-04-25 00:00:00 INFO LogFile C:\Program Files (x86)\nxlog\data\nxlog.log reopened 2021-04-25 00:00:14 ERROR apr_stat failed on file C:\Windows\Sysnative\dhcp\DhcpSrvLog-Sun.log; Access is denied. 2021-04-25 00:00:16 WARNING input file was deleted: C:\Windows\Sysnative\dhcp\DhcpSrvLog-Sun.log 2021-04-26 00:00:45 ERROR apr_stat failed on file C:\Windows\Sysnative\dhcp\DhcpSrvLog-Mon.log; Access is denied. 2021-04-26 00:00:47 WARNING input file was deleted: C:\Windows\Sysnative\dhcp\DhcpSrvLog-Mon.log

Starting our first install and would appreciate a step by step or similar doc.

I am using nxLog CE as log shipper, but I found issue for GELP module with millisecond precision in time stamp. The millisecond precision is not added to timestamp (EventTime as well) When I use gelf extension the millisecond precision is dropped. Basically although I have in log file something like this: <br/>... <br/>2021-04-26T14:28:14.269+00:00 [sync_ldap_trigger.sh] [DEBUG] Get list of users from AD/LDAP successfully (with 1 records) <br/>... <br/> and for parsing I am using REGEX for multi line detection. Doesn't matter if I am using parsing date function parsedate or strptime or nothing just pure $1 <br/>#Exec if $raw_event =~ %PEOSYNCREGEX% $EventTime = parsedate($1); $script = $2 ; $Severity = $3 ; $Message = $4 ; <br/>#Exec if $raw_event =~ %PEOSYNCREGEX% $EventTime = strptime($1, '%Y-%m-%d%t%H:%M:%S.%N%Z'); $script = $2 ; $Severity = $3 ; $Message = $4 ; <br/>Exec if $raw_event =~ %PEOSYNCREGEX% $EventTime = $1; $script = $2 ; $Severity = $3 ; $Message = $4 ; <br/> I excluded "buffer" from path to be sure and all parsing are done in im_file section. For sure I am testing it with file output from the same source. But on the tcpdump I still have timestamp without the millisecond precision - which I confirmation form me that this information is lost on shipper site. tcpdump detailed packet output: <br/>CNSCNc@{"version":"1.1","_EventReceivedTime":"2021-04-26 14:32:15","_SourceModuleName":"peosynclog","_SourceModuleType":"im_file","_script":"sync_ldap_trigger.sh","_Severity":"DEBUG","_SyslogSeverityValue":7,"_FileName":"/home/adsync/bin/adsync2amish/log/sync_general.log","_order":"VNB","_environment":"TEST","host":"amishd-test.vnbrno.cz","short_message":"Get list of users from AD/LDAP successfully (with 1 records)","full_message":"Get list of users from AD/LDAP successfully (with 1 records)","timestamp":1619447535,"level":7} <br/> nxlog.conf: <br/>######################################## <br/># Global directives # <br/>######################################## <br/>User nxlog <br/>Group nxlog <br/>LogFile /var/log/nxlog/nxlog.log <br/>LogLevel INFO <br/># PeoSYNC <br/>define PEOSYNCREGEX /^(?<EventTime>\d{4}\-\d{2}\-\d{2}T\d{2}\:\d{2}\:\d{2}.\d{3}\+\d{4})[\ ,\t]*\[(?<Script>[\S,\.,\_]+)\][\ ,\t]*\[(?<Severity>[\S,\-,\ ]+)\][\ ,\t]*(?<Message>[\S,\s]*)/ <br/>define ROOT /var/spool/nxlog <br/>CacheDir %ROOT%/data <br/>SpoolDir %ROOT%/data <br/>######################################## <br/># Modules # <br/>######################################## <br/><Extension multilinepeosync> <br/> Module xm_multiline <br/> HeaderLine %PEOSYNCREGEX% <br/></Extension> <br/><Extension gelf> <br/> Module xm_gelf <br/></Extension> <br/>######################################## <br/># Inputs # <br/>######################################## <br/><Input peosynclog> <br/> Module im_file <br/> File "/home/adsync/bin/engine/log/sync_general.log" <br/> InputType multilinepeosync <br/> SavePos TRUE <br/> #Exec if $raw_event =~ %PEOSYNCREGEX% $EventTime = parsedate($1); $script = $2 ; $Severity = $3 ; $Message = $4 ; <br/> #Exec if $raw_event =~ %PEOSYNCREGEX% $EventTime = strptime($1, '%Y-%m-%d%t%H:%M:%S.%N%Z'); $script = $2 ; $Severity = $3 ; $Message = $4 ; <br/> Exec if $raw_event =~ %PEOSYNCREGEX% $EventTime = $1; $script = $2 ; $Severity = $3 ; $Message = $4 ; <br/> <Exec> <br/> if $Severity !~ /NEVERUSEDSTRING/ <br/> { <br/> if $Severity =~ /ALERT/ $SyslogSeverityValue = 1; <br/> if $Severity =~ /CRIT/ $SyslogSeverityValue = 2; <br/> if $Severity =~ /ERR/ $SyslogSeverityValue = 3; <br/> if $Severity =~ /WARN/ $SyslogSeverityValue = 4; <br/> if $Severity =~ /NOTICE/ $SyslogSeverityValue = 5; <br/> if $Severity =~ /INFO/ $SyslogSeverityValue = 6; <br/> if $Severity =~ /---/ $SyslogSeverityValue = 6; <br/> if $Severity =~ /SQL/ $SyslogSeverityValue = 7; <br/> if $Severity =~ /DEBUG/ $SyslogSeverityValue = 7; <br/> } else { <br/> # Parsing and dropping all messages which are NEVERUSEDSTRING (or INFO|DEBUG if you want change) severity <br/> drop(); <br/> } <br/> $FileName = file_name(); <br/> $Hostname = 'someserver-dev.loc'; <br/> $order = 'ORDER'; <br/> $environment = 'DEV'; <br/> # if not defined($EventTime) $EventTime = now(); <br/> </Exec> <br/></Input> <br/>######################################## <br/># Outputs # <br/>######################################## <br/><Output graylogtcppeosyncrewrite> <br/> Module om_tcp <br/> Host 127.0.0.1 <br/> Port 20228 <br/> OutputType GELF_TCP <br/></Output> <br/><Output file> <br/> Module om_file <br/> File "/tmp/sync_general.log" <br/></Output> <br/>######################################## <br/># Define Processor Modules # <br/>######################################## <br/><Processor bufferpeosync> <br/> Module pm_buffer <br/> MaxSize 524288 <br/> Type disk <br/> WarnLimit 393216 <br/></Processor> <br/>######################################## <br/># Routes # <br/>######################################## <br/><Route 1> <br/> #Path peosynclog => bufferpeosync => graylogtcppeosyncrewrite <br/> Path peosynclog => graylogtcppeosyncrewrite <br/></Route> <br/><Route 2> <br/> Path peosynclog => file <br/></Route> <br/> Please anyone for help or solution for this issue. Michal BTW: Of course that I tried more format for timestamp as 2021-04-26T14:28:04.240+02:00 or 2021-04-26T14:28:04.240+0200 etc. The format in log is in my hands too.

Design: strict network design with multiple security zones, nxlog client on all Linux servers forward logs to local zone Collector (nxlog listen on 0.0.0.0 port 514), zone collectors forward to single master collectors, master collectors dump all incoming into a dump file for long time storage + forward to a SIEM. This has worked OK for a year, albeit with a few glitches, but recently we have experienced that the Master collectors stop writing to dump file (apparentely at random), yet the nxlog service remains up and running. Fix is to restart the nxlog service. All collectors have defined buffers - could there something wrong with that part of the setup? All suggestions are welcome :)

Can we relocate the directory structure to our preferred folder while configuring nxlog like below /opt ---> /<ouruser>/opt What are the changes we need to do if we want to do that ? I changed the /<ouruser>/nxlog/etc/init file to point to new folder ALSO nxlog.conf --- path also . but Got error as "Could not load program <ouruser>/nxlog/bin/nxlog : Dependent module libnx.so could not be loaded "

I'm trying to figure out a good way of only forwarding along events of significance and to filter out the rest - but without having hundreds of lines of XPath queries in nxlog.conf file. I understand that multiple blocks are AND'd together and that 'type' may only be "exact or regexp", but there doesn't appear to be any negation logic (e.g. NOT item or OR item). Is the 'pm_pattern' module the best approach for trying to accomplish this? Can pattern matches in the patterndb.xml file be defined to drop matching messages? Would a viable approach be to define capture groups to set a variable, then just have something like 'Exec if defined $unwantedMatch { drop();}? XPath Query: <Suppress Path="Security"> *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Level=4 or Level=0) and (EventID=4624 or EventID=4625 or EventID=4634)]] and *[EventData[ ( (Data[@Name='LogonType']='5' or Data[@Name='LogonType']='0') or Data[@Name='TargetUserName']='ANONYMOUS LOGON' or Data[@Name='TargetUserSID']='S-1-5-18' )]] </Suppress> patterndb.xml attempt: 7 Suppress Service Logons EventID regexp 4624|4625|4634 Level regexp 0|4 if ( $LogonType =~ /0|5/ or $TargetUserName == 'ANONYMOUS LOGON' or $TargetUserSID == 'S-1-5-18' ) drop(); XPath Query: *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Level=4 or Level=0) and EventID=4624]] and *[EventData[Data[@Name='LogonType']='3']] and *[EventData[Data[@Name='AuthenticationPackageName']='NTLM']] and *[EventData[Data[@Name='TargetUserName']!='ANONYMOUS LOGON']] and *[EventData[Data[@Name='TargetDomainName']!='TEST']] patterndb.xml attempt: 2 Pass the Hash Success Detection EventID exact 4624 Severity exact INFO LogonType exact 3 AuthenticationPackageName exact NTLM TargetUserName regexp (?!ANONYMOUS LOGON) TargetDomainName regexp (?!TEST) $PatternID=2; Thank you for any wisdom/assisstance.