Hi

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

Set according to the above site. result,Unexpected service outage occurs. I want you to tell me the measures.

When I use xm_perl with this code from /usr/libexec/nxlog/modules/extension/perl/event1.pl:

use Log::Nxlog;
use strict;
use warnings;
use feature 'say';
use JSON;
use utf8;


sub rec2msg {
    my $msgsrcaddr = Log::Nxlog::get_field($event, 'MessageSourceAddress');
    if ( defined($msgsrcaddr) )
    {
        Log::Nxlog::set_field_string($event, 'MessageSourceCountry', "France");
    }
}

It gives me strange error:

syntax error at /usr/libexec/nxlog/modules/extension/perl/event1.pl line 16, at EOF

However , there is no code at line 16 at all. What does that mean? It happens when I use any perl code.

Hy! Sometimes one has to analyze Microsoft events containing EventData fields including Data fields without name, or let's say unnamed Data fields, e.g. EventID 2889 - unsigned LDAP requests. ``` - - 2889 0 4 16 0 0x8080000000000000 242410 Directory Service PC1.DOMAINXY.local - 172.172.172.172:33426 DOMAINXY\USERXY 0 ``` Simply sending this to syslog works like charm. But in this case I woul like to get the values from all three fields into $raw_event with a special text,like: ``` define EventID_2889_REGEX /(?x) \ (?(^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$)) \ (?([\w\d]+)) \ (?(\d+))/ Module im_msvistalog Query \ \ *[System[(EventID=2889)]]\ \ Exec $EventData =~ %EventID_2889_REGEX%; Exec $raw_event = "Unsigned or simple non TLS LDAP bind request: [" + $EventData + "]"; Exec $SyslogFacilityValue = 21; Exec $SyslogFacility = "LOCAL5"; Exec $ProcessID = $SubjectUserName; Exec $SourceName = "2889"; Exec parse_syslog_ietf(); Exec to_syslog_ietf(); ``` I tried a lot, read the NXLog CE documentation hints, googled for days now...to list it all up here would explode the forum ;-) Could you please give me some hints how to process these values? Maybe this is not even possible in NXLog CE, see https://nxlog.co/question/4158/windows-eventdata-not-captured? Thanks in advance!

Hello, I'm trying to implement some kind of "inventory" module in nxlog for windows-based machines. The idea is to run CMD and get basic info like OS information, members of local admin group or active sessions of users - those are just examples, the goal would be to execute CMD and get data every X hours/days. as a PoC, I have following configuration: define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Module xm_syslog Module xm_json Module im_exec Command "C:\Windows\System32\cmd.exe" Arg /k Arg dir Module om_file File "D:\\nxlog_debug.log" Path message => out_debug It works, I can see output of dir command in a .log file. However I cannot find a right way to add a "schedule". Tried in several ways, but it always fails with config error. Based on this example, is it possible to run a CMD with arguments with a schedule?

Hello for, windows events proceed in JSON but some fields like "CommandLine", "TaskContent", "EventData" e.t.c arrives with XML escaping character, like &lt; is < &gt; is > &amp; is & &quot; is "

Is it possible to disable escaping globally? Or the only option to solve the problem is using unescape_xml function for every field like:

$CommandLine = unescape_xml($CommandLine); $TaskContent = unescape_xml($TaskContent);

Hi,
Can NXLog collect and emit metrics on Linux and Windows?

It looks like Windows can be achieved with im_winperfcount but I haven't found metrics for Linux.

Does this exist in the Enterprise Edition?

Thanks!

How to fix output log file name abnormal Ext. WAP01.tks.co.th-",&quot;Sec-Fetch-Mode&quot;.log WAP01.tks.co.th-\r\n-.log WAP01.tks.co.th-l+xml,application.log

My configuration NXlog

This is a sample NXLog configuration file created by Loggly. June 2013

See the nxlog reference manual about the configuration options.

It should be installed locally and is also available

online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

Please set the ROOT to the folder your nxlog was installed into,

otherwise it will not start.

#define ROOT C:\Program Files\nxlog #define ROOT_STRING C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog define ROOT_STRING C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

Include fileop while debugging, also enable in the output module below

#<Extension fileop>

Module xm_fileop

#</Extension>

<Extension json> Module xm_json </Extension>

<Extension syslog> Module xm_syslog </Extension>

<Input in> Module im_msvistalog

ReadFromLast TRUE

SavePos TRUE

Query <QueryList>
<Query Id="0">
<Select Path="Application"></Select>
<Select Path="System"></Select>
<Select Path="Security">*</Select>
</Query>
</QueryList> </Input>

<Output out> Module om_tcp Host 10.6.5.133 Port 514

Exec $Hostname = hostname_fqdn(); Exec $SyslogFacility = 2; #Exec $SourceName = 'eventlogs'; #Exec to_syslog_bsd(); #Exec to_syslog_snare(); Exec to_syslog_ietf(); Exec $Message = to_json(); to_syslog_bsd(); </Output>

<Route 1> Path in => out </Route>

I want to . Input <Select Path="Application"></Select>\ ---> output hostname.application.log Input <Select Path="System"></Select>\ ---> output hostname.system.log Input <Select Path="Security">*</Select>\ ---> output hostname.security.log

I have a SaaS vendor that uses NXLog to send logs to customers and I would like them to send to an Azure Event Hub that has Kafka enabled so we don't need to use VPNs. I'm able to connect and produce messages to the topic with python and logstash but they seem to be having issues with NXLog.

This is the error they tell me they are getting: 2020-04-09 09:41:27 ERROR rdkafka: [thrd:sasl_ssl://servername.servicebus.windows.net:9093/boots]: sasl_ssl://servername.servicebus.windows.net:9093/bootstrap: SASL GSSAPI mechanism handshake failed: Local: Broker transport failure: broker's supported mechanisms: (n/a) (after 0ms in state DOWN)

Azure seems to have specific requirements/limitations, the configuration below works for logstash and it uses sasl_jaas_config to pass the authentication data:

output { kafka { codec => json topic_id => "kafkatopic" bootstrap_servers => "eventhubname.servicebus.windows.net:9093" client_id => "azshrelasea01p" compression_type => "none" sasl_jaas_config => "org.apache.kafka.common.security.plain.PlainLoginModule required username='$ConnectionString' password='Endpoint=<eventhubconnectionstring>';" sasl_mechanism => "PLAIN" security_protocol => "SASL_SSL" ssl_truststore_password => "password" ssl_truststore_location => "/elastic/trust.jks" ssl_truststore_type => "jks" batch_size => 250 linger_ms => 6000 } }

Looking around the internet, it seems that librdkafka has some requirements that have to be met but I don't know how the nxlog config would look to implement these:

https://github.com/Azure/azure-event-hubs-for-kafka/issues/51 https://brokenco.de/2019/04/04/azure-eventhubs-rust.html

Anyone have any experience with this or could help me convert these logstash configs to a nxlog one? It looks like I need to use the Option function and pass the settings there for librdkafka but I don't have a lot of experience with NXLog.

Thanks!

I am trying to ship Windows logs to Graylog using Nxlog and when trying to apply my configuration, the Sidecar gives me the following error:

ERROR Couldn't open nxlog service; The specified service does not exist as an installed service.

Any idea what could be wrong? I followed the instructions here https://docs.graylog.org/en/3.2/pages/sidecar.html#nxlog-on-windows to set it up.

Thank you.

Hello,

I am having the problem that nothing is sent to the server and I dont know why. Here is my config:

Panic Soft #NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% LogLevel INFO

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension _syslog> Module xm_syslog </Extension>

define BASEDIR C:\MessageTracking

<Input in_exchange> Module im_file File '%BASEDIR%\MSGTRK*-*.LOG' # Exports all logs in Directory SavePos TRUE Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); </Input>

<Output out_exchange> Module om_udp Host 10.2.1.22 Port 5141 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'exchange_msgtrk_log'; Exec to_syslog_bsd(); </Output>

<Route exchange> Path in_exchange => out_exchange </Route>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

<Extension _exec> Module xm_exec </Extension>

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
    Every   1 hour
    Exec    if (file_exists('%LOGFILE%') and \
               (file_size('%LOGFILE%') >= 5M)) \
                file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
    When    @weekly
    Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>

</Extension>

Hi, I have this type of input in nxlog.conf: ``` Module im_udp Host 0.0.0.0 Port 514 Exec parse_syslog(); to_json(); perl_call("process"); ``` My question is, how should I include that JSON output that I get from to_json() to my perl code? Should I write like this?: ``` my ( $event ) = @_; ``` Or it's only the output of parse_syslog_bsd() (as in example for xm_perl https://nxlog.co/documentation/nxlog-user-guide/xm_perl.html)? **More generally, my question is how to include JSON output that i get from to_json() to perl code of xm_perl module?**

Hi all, How do I divide my NxLog configuration file into conditionals based on queries? I have an nxlog.conf that doesn't apply equally to all hosts, and NxLog fails if it has to query something that doesn't exist on a Windows server. I'd like to keep 1 nxlog.conf for all servers instead of having to maintain many confs for a variety of servers. In psuedocode: ``` if [ exists Microsoft-Windows-TerminalServices ] then * ``` However I'm having a hard time translating a lot of the "if statements" I see to NxLog query formats.. anyone have any resources or tips to guide me? Here's what I tried, obviously wrong, \ cannot be in \ ``` if ($Channel == 'Microsoft-Windows-TerminalServices-SessionBroker/Operational') * ``` Also tried: ``` if ($Channel == 'Microsoft-Windows-TerminalServices-SessionBroker/Operational') \ \ \ \ * \ \ \ ``` Thanks for your help.

I am configuring the NXLog to Elastic Search Server using om_elasticserch, but it doesnt connect

Here is the nxlog.conf file:

User root Group system Panic Soft

default values:

PidFile /opt/nxlog/var/run/nxlog/nxlog.pid CacheDir /opt/nxlog/var/spool/nxlog

ModuleDir /opt/nxlog/lib/nxlog/modules

ModuleDir /opt/nxlog/libexec/nxlog/modules SpoolDir /opt/nxlog/var/spool/nxlog

define CERTDIR /opt/nxlog/var/lib/nxlog/cert define CONFDIR /opt/nxlog/var/lib/nxlog

Note that these two lines define constants only; the log file location

is ultimately set by the LogFile directive (see below). The

MYLOGFILE define is also used to rotate the log file automatically

(see the _fileop block).

define LOGDIR /opt/nxlog/var/log/nxlog define MYLOGFILE %LOGDIR%/nxlog.log

<Extension _json> Module xm_json </Extension>

<Input file> Module im_file File '/<path/to/my/logfile/*log' # Parse log here if needed # $EventTime should be set here </Input>

<Output out> Module om_elasticsearch URL http://linuxServer:9200/_bulk FlushInterval 2 FlushLimit 100

# Create an index daily
Index       strftime($EventTime, "nxlog-%Y%m%d")

# Use the following if you do not have $EventTime set
#Index      strftime($EventReceivedTime, "nxlog-%Y%m%d")

</Output>

By default, LogFile %MYLOGFILE% is set in log4ensics.conf. This

allows the log file location to be modified via NXLog Manager. If you

are not using NXLog Manager, you can instead set LogFile below and

disable the include line.

LogFile %MYLOGFILE% #include %CONFDIR%/log4ensics.conf

<Extension _syslog> Module xm_syslog </Extension>

This block rotates %MYLOGFILE% on a schedule. Note that if LogFile

is changed in log4ensics.conf via NXLog Manager, rotation of the new

file should also be configured there.

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
    Every   1 hour
    <Exec>
        if ( file_exists('%MYLOGFILE%') and
             (file_size('%MYLOGFILE%') >= 5M) )
        {
             file_cycle('%MYLOGFILE%', 8);
        }
    </Exec>
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
    When    @weekly
    Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>

</Extension>

NXlog is starting, but it waiting to connect to ElasticSearch server, not proceeding further. Here is the log in nxlog.log. And I could not see nxlog* index patter in Kibana

2020-03-31 09:37:44 WARNING already running as gid 0 2020-03-31 09:37:44 WARNING already running as uid 0 2020-03-31 09:37:44 WARNING no routes defined! 2020-03-31 09:37:44 WARNING default route added 2020-03-31 09:37:44 INFO nxlog-4.7.4715 started 2020-03-31 09:37:44 INFO om_elasticsearch_add_reconnect_event reconnecting in 0 seconds 2020-03-31 09:37:44 INFO connecting to linuxServer:9200

Any help on this is appricaited.

Thanks in advance

Santosh

Hi,

Can NXLog be configured to automatically hide confidential information (PII) like credit card numbers, social security numbers, etc?

I thought you could maybe use Regex but thought there might be a better way (like a module) since this is a pretty common thing to do.

Thanks in advance!!

Please, could you advise how to skip (drop) certain number of next log lines after the $raw_event matches (Exec if $raw_event =~ / .... / drop();) ??? Thanks!

Hi,

I am using NXLog's <Input MSEvtIN> module to forward Windows Event Logs to a syslog server. The problem I am facing is with MTU Size. The default MTU across is 1500 (i.e. 1472 Bytes actual length) But there are many events in windows which are much larger than 1472. Those events having length greater than 1472 bytes are getting truncated at 1472 and received partially on the syslog server. This is creating a problem for my SIEM to parse the logs.

Can anyone please help me in diagnosing and resolving this?

What I know about MTU is, if the packets are greater than 1472 bytes, MTU Fragmentation is used. I don't know how to enable this fragmentation setting in NXLog.

################
#============ Define ROOT here ===================
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
#============ NXLog Machine Log info =============
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

#=========== For Windows Event Log ===========
<Extension json>
Module xm_json
</Extension>

<Input MSEvtIN>
# For windows 2003 and earlier use the following:
#Module im_mseventlog
# For windows 2005 and later use the following:
Module im_msvistalog
Exec to_json();
</Input>

<Output MSEvtOUT>
Module om_udp
Host DNIF-Adapter-IP
Port 514
</Output>

<Route 1>
Path MSEvtIN => MSEvtOUT
</Route>

Hello, I would like a simple help, I have a syslog server which I need to send logs from a file that is in xml to another syslog.

My configuration is as follows:

[...] <Extension _syslog> Module xm_syslog </Extension>

<Input in> Module im_file File '/var/log/alerts' </Input>

<Output out> Module om_udp Host xx.xxx.x.x Port 514 </Output>

<Route 1> Path in => out </Route>

Where "/var/log/alerts" are the xml logs that I want to send.

Is there any additional configuration I should put in my conf or is it just that? Thanks

Hi there,

We have one of our client that is looking to upgrade their NXLog to the enterprise edition.How do I contact a sales rep from NXLog to get the license quote for our client? We are based in Malaysia by the way.

I've noticed that the "GroupMembership" and "full_message" fields in Windows security logs for EventID 4627 contains unresolved Group SIDs (at least they look like SIDs to me). Event 4627 is generated along with event 4624 (successful account logon) and shows the entire list of groups that the particular logged-on account belongs to. This shows a list of groups that the user is a member of in Windows Event Viewer, but it looks like the following in our output stream: ``` Group Membership: %{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-123} %{S-1-1-0} ... %{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234} %{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-2345} %{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-3456} ``` I am running version 4.7.4715 64-bit Enterprise Edition (non-trial) and my config file has the input defined as: ``` # For windows vista/2008 and above use: Module im_msvistalog ResolveSID TRUE ``` The username seems to be resolving correctly (or at least the "TargetUserSid"/"TargetUserName" fields both show a valid username and not a SID), so I believe the "ResolveSID" option is working correctly for usernames. I would like to be able to read the group membership information in a human-readable format rather than SIDs. I thought that "ResolveSID TRUE" would convert all instances of SIDs into human-readable format. I'm a little confused on the implementation specifics because I see the documentation (https://nxlog.co/documentation/nxlog-user-guide/im_msvistalog.html) only specifically mentions user names "ResolveSID This optional boolean directive specifies that SID values should be resolved to user names in the ...", so am I wrong in assuming that group membership SIDs would also be resolved since they are not user names? My questions are: Should the group SIDs be resolving into human-readable format when ResolveSID=true? Or is the expected behaviour that they remain as SIDs? If this is expected behaviour, are there any plans for incorporating this feature in a later release of NXLog? Is there anyway I can convert the group SIDs into human-readable format? If this is not expected behaviour, how can I troubleshoot this further?

I've amassed a number of EventIDs I think I want to monitor on my Win10 host. However, the error I'm receiving is: ``` .\nxlog.exe -v INFO configuration OK ``` ``` .\nxlog.exe -f INFO nxlog-ce-2.10.2150 started ERROR failed to subscribe to msvistalog events using bookmark: the specified query is invalid. ERROR failed to subscribe to msvistalog events, the Query is invalid: This operator is unsupported by this implementaiton of the filter.; [error code: 15001] ``` The weird part is, when I remove multiple lines it works. However, when I test each line individually, it works. I assume there is a conflict between them (e.g. duplicate eventIDs). Below is the configuration and associated examples **Complete but fails .conf** ``` #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGFILE%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data Module xm_gelf Module im_msvistalog (EventID=550) or (EventID=612) or (EventID=801) or (EventID=1102) or (EventID=1104) or (EventID=1108) or (EventID=4608) or (EventID=4616) or ((EventID=4624) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) or ((EventID=4625) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) or ((EventID=4634) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10))) or ((EventID=4648) and (TargetDomainName="domain.net")) or (EventID=4649) or ((EventID=4688) and (SubjectUserSid="/^S-1-5-21")) or ((EventID=4697) and ((ServiceName!="/^BluetoothUserService") and (ServiceName!="/^Vmware"))) or ((EventID=4698) and (SubjectUserSid="/^S-1-5-21")) or (EventID=4699) or (EventID=4704) or (EventID=4717) or (EventID=4719) or (EventID=4720) or (EventID=4726) or (EventID=4740) or (EventID=4765) or (EventID=4766) or (EventID=4794) or (EventID=4897) or (EventID=4946) or (EventID=4948) or (EventID=4950) or (EventID=4964) or (EventID=5024) or (EventID=5025) or (EventID=5030) or (EventID=5124) or ((EventID=5140) and (ShareName!="\\*C$")) or ((EventID=5142) and ((ShareName!="\\*C$") or (ShareName!="\\*\ADMINISTRATOR$"))) or (EventID=5148) or (EventID=5149) or (EventID=5154) or (EventID=5155) or (EventID=5156) or (EventID=5157) or (EventID=5158) or (EventID=5159) or (EventID=5376) or (EventID=5379) Module om_udp Host 192.168.1.1 Port 55555 OutputType GELF_UDP Path eventlog => graylog ``` **Cut out from above. Succeeds**: ``` Module im_msvistalog (EventID=550) or (EventID=612) or (EventID=801) or (EventID=1102) or (EventID=1104) or (EventID=1108) or (EventID=4608) or (EventID=4616) or ((EventID=4624) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) ((EventID=4625) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) ((EventID=4634) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10))) ((EventID=4648) and (TargetDomainName="domain.net")) or (EventID=4649) or ((EventID=4688) and (SubjectUserSid="/^S-1-5-21")) or ((EventID=4697) and ((ServiceName!="/^BluetoothUserService") and (ServiceName!="/^Vmware"))) or ((EventID=4698) and (SubjectUserSid="/^S-1-5-21")) or (EventID=4699) or (EventID=4704) or (EventID=4717) or (EventID=4719) or (EventID=4720) or (EventID=4726) or (EventID=4740) or (EventID=4765) or (EventID=4766) or (EventID=4794) or (EventID=4897) or (EventID=4946) or (EventID=4948) or (EventID=4950) or (EventID=4964) or (EventID=5024) or (EventID=5025) or (EventID=5030) or (EventID=5124) or ((EventID=5140) and (ShareName!="\\*C$")) or ((EventID=5142) and ((ShareName!="\\*C$") or (ShareName!="\\*\ADMINISTRATOR$"))) or (EventID=5148) or (EventID=5149) or (EventID=5154) or (EventID=5155) or (EventID=5156) or (EventID=5157) or (EventID=5158) or (EventID=5159) or (EventID=5376) or (EventID=5379) ``` **Fails**: ``` (EventID=4699) or (EventID=4704) or (EventID=4717) or (EventID=4719) or (EventID=4720) or (EventID=4726) or (EventID=4740) or (EventID=4765) or (EventID=4766) or (EventID=4794) or (EventID=4897) or (EventID=4946) or (EventID=4948) or (EventID=4950) or (EventID=4964) or (EventID=5024) or (EventID=5025) or (EventID=5030) or (EventID=5124) or (EventID=5148) or (EventID=5149) or (EventID=5154) or (EventID=5155) or (EventID=5156) or (EventID=5157) or (EventID=5158) or (EventID=5159) or (EventID=5376) or (EventID=5379) ``` **Succeeds (Removed bottom 5)**: ``` (EventID=4699) or (EventID=4704) or (EventID=4717) or (EventID=4719) or (EventID=4720) or (EventID=4726) or (EventID=4740) or (EventID=4765) or (EventID=4766) or (EventID=4794) or (EventID=4897) or (EventID=4946) or (EventID=4948) or (EventID=4950) or (EventID=4964) or (EventID=5024) or (EventID=5025) or (EventID=5030) or (EventID=5124) or (EventID=5148) or (EventID=5149) or (EventID=5154) or (EventID=5155) or (EventID=5156) ``` **Succeeds (Added bottom 5 back and removed top 5)**: ``` (EventID=4726) or (EventID=4740) or (EventID=4765) or (EventID=4766) or (EventID=4794) or (EventID=4897) or (EventID=4946) or (EventID=4948) or (EventID=4950) or (EventID=4964) or (EventID=5024) or (EventID=5025) or (EventID=5030) or (EventID=5124) or (EventID=5148) or (EventID=5149) or (EventID=5154) or (EventID=5155) or (EventID=5156) or (EventID=5157) or (EventID=5158) or (EventID=5159) or (EventID=5376) or (EventID=5379) ``` Thank you!