4
responses

Hello -

 

I've been trying to figure this out for a few days, and it just isn't working. I want to allow certain messages by EventID, disallow all other INFO, DEBUG, but also allow all other ERRORs.

What I would like to end up with is: The cherry picked EventIDs (collection of INFO, ERROR, WARNING), and all error messages. Everytime I add a filter by SEVERITY it seems to change the dynamic of the filter. 

Any tips? Below is that my config currently looks like, I'm just getting the EventIDs which I want, but I'm not getting all ERROR messages.

----------------------------

## This is a sample configuration file. See the nxlog reference manual about the

## configuration options. It should be installed locally and is also available

## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,

## otherwise it will not start.

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules

CacheDir %ROOT%\data

Pidfile %ROOT%\data\nxlog.pid

SpoolDir %ROOT%\data

LogFile %ROOT%\data\nxlog.log

<Extension gelf>

    Module      xm_gelf

</Extension>

<Input in>

    Module      im_msvistalog

    Exec if ($EventID == 624 or $EventID == 630 or $EventID == 631 or $EventID == 634 or $EventID == 635 or $EventID == 638 or $EventID == 658 or $EventID == 662 or $EventID == 4624 or $EventID == 4625 or $EventID == 4720 or $EventID == 4726 or $EventID == 4727 or $EventID == 4728 or $EventID == 4729 or $EventID == 4730 or $EventID == 4731 or $EventID == 4732 or $EventID == 4733 or $EventID == 4734 or $EventID == 4735 or $EventID == 4737 or $EventID == 4740 or $EventID == 4741 or $EventID == 4742 or $EventID == 4743 or $EventID == 4754 or $EventID == 4755 or $EventID == 4756 or $EventID == 4757 or $EventID == 4758 or $EventID == 4764 or $EventID == 4767);\

        else drop();    

</Input>

<Output out>

    Module      om_udp

    Host        log.myserver.org

    Port        5414

    OutputType  GELF

</Output>

<Route 1>

     Path        in => out

</Route>

AskedApril 10, 2017 - 7:33pm

Answer (1)

I believe the following should do what you want:

Exec if not ($Severity == 'ERROR' or $EventID IN (624, 630, ...)) drop();

Note that EventID is unique per eventlog source so you probably want to add $SourceName == 'Security' to the condition.

Comments (3)

  • b0ti's picture
    (NXLog)

    You will get error logs for everthing with this:
    Exec if not ($Severity == 'ERROR' or ($EventID IN (624, 630, ...) and $SourceName == 'Security')) drop();