3
responses

Hello,

I do admit I am totally lost about NXLog.conf for Windows 2K12 R2 machines.

The purpose is to filter some EventIDs from Security Event Log, for that I tried the below nslog.conf :

<Extension _syslog>

    Module      xm_syslog

</Extension>

<Input>
   Module      im_msvistalog
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog

    Exec if ($EventID == 4634 or $EventID == 4624 or $EventID == 4672 or $EventID == 4801 or $EventID == 64 or $EventID == 7036 or $EventID == 7040) drop();\
    else\
    {\
        parse_syslog_ietf();\
        $Message = $FileName + ": " + $Message;\
        $SyslogFacility = syslog_facility_string(22);\
        $SyslogFacilityValue = syslog_facility_value("local6");\
        if ( $EventType == "INFO" ) $SyslogSeverityValue = 6;\
        if ( $EventType == "WARNING" ) $SyslogSeverityValue = 4;\
        if ( $EventType == "ERROR" ) $SyslogSeverityValue = 3;\
    }
</Input>

<Output out>
    Module      om_udp
    Host        10.1.1.39
    Port        1514
    Exec        to_syslog_snare();
</Output>

<Route 1>
    Path internal, eventlog => out
</Route>

 

 

Unfortunately despite the host and port are well set it doesn't work, and I also have these messages from nxlog.log :

xxxxxx WARNING no routes defined!
xxxxxx WARNING not starting unused module out

 

I would really appreciate any help

AskedApril 13, 2016 - 6:11pm

Answer (1)

You need to give your input a name:

<Input eventlog>

instead of

<Input>

This should appear as an error in nxlog.log, you should always look at the first error not the last.

Comments (2)

  • CBush's picture

    Thanks for the answer, it's really better now. It remains the following, I would like to filter secutity's eventids and send them to Syslog server. According my NXLOG.conf this one is dropping these eventids.

    Do you have an idea how to proceed ? thanks again

     Exec if ($EventID == 4634 or $EventID == 4624 or $EventID == 4672 or $EventID == 4801 or $EventID == 64 or $EventID == 7036 or $EventID == 7040) drop();\
        else\
        {\
            parse_syslog_ietf();\
            $Message = $FileName + ": " + $Message;\
            $SyslogFacility = syslog_facility_string(22);\
            $SyslogFacilityValue = syslog_facility_value("local6");\
            if ( $EventType == "INFO" ) $SyslogSeverityValue = 6;\
            if ( $EventType == "WARNING" ) $SyslogSeverityValue = 4;\
            if ( $EventType == "ERROR" ) $SyslogSeverityValue = 3;\
        }

  • adm's picture
    (NXLog)

    To filter by EventID you can use the native XML Query which is used in Event Viewer:

    Query <QueryList> \
               <Query Id="0">\
                  <Select Path="Security">*[System[(EventID='4663')]]</Select>\
               </Query>\
          </QueryList>

    The other option is to use the filtering capabilities in NXLog:

    Exec if $EventID NOT IN (4634 , 4624, 4672) and $Channel == 'Security' drop();