We are testing NXlog to ship the security logs to our security team.  We are using XP embedded and it working fine.  Security is asking us to only send specific event ID's.  I have looked at the documentation and it appears that we may not be able to do this with XP.  I was going to do the custom view but XP does not support that. We are supported on the embedded version of XP.

My question.  Has anyone tried to do this with XP or is it even possible?

David Martin


AskedMay 16, 2016 - 3:12pm

Answer (1)

The crimson EventLog API is only available after Windows Vista and later so it is not possible to use XML filters in im_mseventlog but the traditional NXLog style filtering works across all modules so you can do this:

Exec if $EventID NOT IN (42, 142, 4242) drop();

Comments (3)

  • dmm3369's picture

    So this basically drops any ID's listed or only trigger the log if it sees the listed ID's?  Where in the config should it be placed?

  • dmm3369's picture

    Copied from our config. Is this the location to add the string? 

    <Input in>

    #Windows Event Logging of Security,System and Application Logs   

    Module      im_mseventlog   

    Exec to_syslog_snare();

    Exec if $EventID NOT IN (528, 529, 567, 592, 601, 602, 608, 612, 636, 7034, 7035, 7036, 7040, 4097, 64004, 2, 3005) drop();