Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.
Windows Event ID Whitelist Filter Question
paul.masek created
I'm using NXLog CE to forward Windows event logs via the im_msvistalog module. There's about 161 event id's that I want to whitelist from the security log and not send anything else from the event logs.
The following config snippet works:
<Input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='Security'>*[System[(EventID=4627)]
or System[(EventID=4624)]
or System[(EventID=4775)]
or System[(EventID=4776)]
or System[(EventID=4777)]
or System[(EventID=4741)]
or System[(EventID=4742)]
or System[(EventID=4743)]
or System[(EventID=4744)]
or System[(EventID=4745)]
or System[(EventID=4746)]
or System[(EventID=4747)]
or System[(EventID=4748)]
or System[(EventID=4749)]
or System[(EventID=4750)]
or System[(EventID=4751)]
or System[(EventID=4752)]
or System[(EventID=4753)]
or System[(EventID=4759)]
or System[(EventID=4760)]
or System[(EventID=4672)]
or System[(EventID=4634)]
or System[(EventID=4648)]]
</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
The issue is that once I add one more line to that config, NXLog stops shipping events completely.
Is there a better way for me to write this that would allow for more than 23 whitelisted event id's?
paul.masek created
EventID 4624 not coming correctly through
Elvar.Böðvarsson created
Two related threads I found on this
https://nxlog.co/question/2029/logon-vs-logoff-events-seim
https://nxlog.co/question/1711/configuration-send-windows-security-logs-only
Posted a question the Windows forums as well
https://social.technet.microsoft.com/Forums/windowsserver/en-US/f70aa0fd-9f59-470a-bafe-47c82f4a7151/broken-xml-for-eventid-4624?forum=winserver8gen
There are domain controllers that a logging server connects to using Windows Eventlog Forwarding (poll).
In the eventlog eventid 4624 comes in but in the message field its all % placeholders but the XML data is correct. Before some patching the xml data was broken.
The Data fields looked like this
<Data Name="AuthenticationPackageName">Kerberos</Data>
<Data Name="WorkstationName">
<Data Name="LogonGuid">{B3A61084-7036-1568-AFB2-3290B7F943F9}</Data>
</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
But now are more correct and look like this
<Data Name="AuthenticationPackageName">Kerberos</Data>
<Data Name="WorkstationName" />
<Data Name="LogonGuid">{B3A61084-7036-1568-AFB2-3290B7F943F9}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
The issue is only when nothing is in the WorktationName field.
NXlog reads this and converts to JSON and thats where NXlog is obviosly having problems
The JSON looks like this
"AuthenticationPackageName":"Kerberos","WorkstationName' /> <Data Name='LogonGuid":"{B3A6.....
So at the workstation name it fails to parse the XML, possibly because the XML field is closed with /> instead of a full </Data>
Another issue is that the Message field does not come through NXlog at all.
Would love to get some help debugging this.
Elvar.Böðvarsson created