Exec if $EventID NOT IN - Question on placement in config.

Post a different question
1
response

Would this be the correct placement to add the filter event ID string?  Should anything esle be commented out?

#Windows Event Logging of Security,System and Application Logs  

Module      im_mseventlog  

Exec to_syslog_snare();

Exec if $EventID NOT IN (528, 529, 567, 592, 601, 602, 608, 612, 636, 7034, 7035, 7036, 7040, 4097, 64004, 2, 3005) drop();

</Input>

 

 

 

AskedMay 17, 2016 - 4:54pm

Comments (1)

  • adm's picture
    (NXLog)

    Note that EventID is unique per source, so you probably want to add a test such as this:

    Exec if $FileName == 'Security' and $EventID NOT IN (528, ...

    May 17, 2016 - 6:52pm

Answers (0)