1
response

Hello,

This is jsut a quick question on the following lines of a config for Nxlog. Basically is the code suppressing all security events with the exception of those event IDs with in the brackets or are the event IDs within the brackets being suppress?

# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
   Module im_msvistalog
Query    <QueryList>\
                   <Query Id="0">\
                     <Select Path="Security">*</Select>\
                     <Suppress Path="Security">*[System[(EventID=4624 or EventID=4776 or EventID=4634 or EventID=4672 or EventID=4688 or EventID=4662 or EventID=5159) or EventID=5136 or EventID=4932 or EventID=4933]]</Suppress>\
                   </Query>\
        </QueryList>
   Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>

AskedOctober 21, 2016 - 10:57pm

Answer (1)