Hi, I install NXLog Enterprise Edition v5 trial And try to filter out events before send to SIEM. I can get some events and see SIEM side. But when I create fake event , cannot see all. What I want? I want to forward Windows server APP, SEC ve SYS logs that have only WARNING,ERROR and CRITICAL levels in CEF format Is that config part correct? <Extension _syslog> Module xm_syslog </Extension> <Extension _cef> Module xm_cef </Extension> <Input in_jornal> Module im_msvistalog # For windows 2003 and earlier use the following: # Module im_mseventlog # Channel Security <QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'> *[System/Level&lt;4] </Select> <Select Path='Security'> *[System/Level&lt;4] </Select> <Select Path='System'> *[System/Level&lt;4] </Select> </Query> </QueryList> </QueryXML>

Hi, I am following the CEF documentation from here https://community.microfocus.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Implementation-Standard/ta-p/1645557 In this its written that Severity is a string or integer and reflects the importance of the event. The valid string values are Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7- 8=High, and 9-10=Very-High. I am using xm_cef module to parse the CEF message and according to the above description if String values are provided they should be converted to appropriate Integer values or left as it is but the xm_cef module is converting the string values to 0. eg:- Input:- CEF:0|Product|Example|unknown|1|Account|Very-High|dvchost=localhost duser=1234567 src=1.1.1.1 the severity value is Very-High Output:- (the field CEF Severity is 0 ) { "EventReceivedTime":"2019-05-02T04:58:30.333756-07:00", "SourceModuleName":"cef_input", "SourceModuleType":"im_file", "SyslogFacilityValue":1, "SyslogFacility":"USER", "SyslogSeverityValue":5, "SyslogSeverity":"NOTICE", "SeverityValue":1, "Severity":"DEBUG", "EventTime":"2019-05-02T04:58:30.333784-07:00", "Hostname":"ubuntu", "SourceName":"CEF", "Message":"0|Product|Example|unknown|1|Account|Very-High|dvchost=localhost duser=1234567 src=1.1.1.1", "CEFVersion":0, "CEFDeviceVendor":"Product", "CEFDeviceProduct":"Example", "CEFDeviceVersion":"unknown", "CEFSignatureID":"1", "CEFName":"Account", "CEFSeverity":0, "dvchost":"localhost", "duser":"1234567", "src":"1.1.1.1" } I have tried with Low, Medium,High,Very-High,it converts all of them to 0. I have used the conf file same as in https://nxlog.co/question/4618/xmcef-xmjson-unexpected-behaviour-while-converting-cef-json#comment-7579 NXlog version :- nxlog-4.3.4308-trial There is no log output with respect to this