Hello everybody, I'm trying to filter Windows events log with severity/level only from warning to critical, so from level 1 to 3. Unfortunately, I tried several configurations, but the agent is still forwarding all the events. Like if there were no filters. My specifications are, Nxlog CE Agent (version 2.10.2102) on a Windows 10 64 bits build 1803 with this conf : Panic Soft define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data Module xm_syslog Module im_msvistalog *[System[(Level=1 or Level=2 or Level=3)]] *[System[(Level=1)]] *[System[(Level=1 or Level=2 or Level=3)]] *[System[(Level=1 or Level=2 or Level=3)]] Module pm_buffer MaxSize 102400 Type disk Module om_tcp Host X.X.X.X Port 514 Exec to_syslog_snare(); Path eventlog => buffer => out Am I missing something? Did something change recently in the syntax? Thanks for your help. Best regards :)

Hello There,

Please help me to get answers of below questions.

1. What all logs can be captured using NXLog client on Windows, Unix, AIX and Linux platforms?

2. What is the system prerequsites for installing NXLog client on Windows, UNIX, AIX and Linux platforms?

Thank you.

 

I am having no luck with a simple parsing of EVT log files.

Is there an easy way to read in EVT (Binary Log files) and output them in Syslog Format?

This is the config file I am using: (I Used python evtx to extract into text XML) However that yields XML attributes which apparently are not parse-able.

Problem Set:

Give 3 files (System.evt, Application.evt, and Security.EVT) parse the EVT format into Syslog_BSD(or IETF) formats.

 

 

<Extension multiline>
    Module    xm_multiline
    HeaderLine    /^<event>/
    EndLine    /^</event>/
</Extension>

<Extension syslog>
Module    xm_syslog
</Extension>

<Extension xmlparser>
Module    xm_xml
</Extension>

<Extension json>
Module    xm_json
</Extension>

<Extension fileop>
Module xm_fileop
</Extension>

<Input in>
    Module im_file
    File "%ROOT%/test.xml"
#    File "/tmp/cab.xml"
    SavePos    FALSE
    ReadFromLast FALSE
    InputType    multiline
    <Exec>
      # Discard everything that doesn't seem to be an xml event   
      if $raw_event !~ /^<event>/ drop();

      # Parse the xml event
      parse_xml(); to_syslog_ietf();

      # Rewrite some fields 
      $EventTime = parsedate($timestamp);
      delete($timestamp);
      delete($EventReceivedTime);

      # Convert to JSON
      to_json();
    </Exec>
</Input>

<Output out>
    Module  om_file
    File    "%ROOT%/out.log"
    Exec    parse_xml();
    Exec     log_info("FIELD" +  to_json());
</Output>

<Route 1>
    Path    in => out
</Route>