7
responses

hi, i try to use special event ids to with graylog but its not working. service is running, so imho it could not be a syntax error in the config.my query looks like

Query <QueryList>\
            <Query Id="0"><Select Path="Account Management">*[User Account Management[(EventID='4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740', 4767, 4781, 4798')]]</Select></Query>\
            <Query Id="1"><Select Path="Account Management">*[Security Group Management[(EventID='4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4754, 4755, 4756, 4757, 4758, 4764, 4799')]]</Select></Query>\
            <Query Id="2"><Select Path="Account Management">*[Computer Account Management[(EventID='4742, 4743')]]</Select></Query>\
            <Query Id="3"><Select Path="Account Management">*[Distribution Group Management[(EventID='4744, 4745, 4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762')]]</Select></Query>\
            <Query Id="4"><Select Path="DS Access">*[Directory Service Access[(EventID='5136, 5137, 5138, 5139, 5141')]]</Select></Query>\
            <Query Id="5"><Select Path="Object Access">*[File Share[(EventID='5142, 5143, 5144')]]</Select></Query>\
            <Query Id="6"><Select Path="Policy Change">*[Authorization Policy Change[(EventID='4704, 4705')]]</Select></Query>\
            <Query Id="7"><Select Path="Policy Change">*[Audit Policy Change[(EventID='4719')]]</Select></Query>\
            <Query Id="8"><Select Path="Policy Change">*[Authentication Policy Change[(EventID='4739')]]</Select></Query>\
</QueryList>

in that case, graylog becomes no messages. if i delete the querylist, graylog becomes all events.

what am i doing wrong here?

 

AskedOctober 13, 2017 - 10:04am

Answer (1)

There is probaly an issue with the QueryXML , check your nxlog.log. Also see the Windows Eventlog section in the user guide.

Comments (6)

  • nxboon's picture

    i evaluated something.

    as you can see in my config file, i want to get specific informations from e.g. "Account Management - User Account Management"

    But in the event log on the server, these groups doesnt exists. there are only application, system and security.

    Thats confusing me a little because i got the event ids that i want to log from an excel sheet from microsoft, where all event ids are classified. this list is for windows 2003 and later.

    https://www.microsoft.com/en-us/download/details.aspx?id=50034

  • b0ti's picture
    (NXLog)

    Please test your Query XML in Event Viewer. After you have confirmed that it works you can cut&paste it into your nxlog.conf.

    In case there is an error with the questy there should be an error message in nxlog.log when you start the service.

  • nxboon's picture

    i stuck still in the same problems.

    my actual config looks like this

    https://pastebin.com/G1N5Ww0y

    if i delete the event ids and write it like

    <Select Path="Security">*</Select>\

    everything works fine. if i put

    [Security[(EventID='4704, 4705, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, \
                                4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4739, 4740, 4742, 4743, 4744, 4745, 4746, 4747, 4748, 4749, \
                                4750, 4751, 4752, 4753, 4754, 4755, 4756, 4757, 4758, 4759, 4760, 4761, 4762, 4764, 4767, 4781, 4798, 4799, 5136, \
                                5137, 5138, 5139, 5141, 5142, 5143, 5144')]]

    in the security section, nxlog sends no messages. no errors in the logfile.

     

    2017-10-23 17:19:12 INFO connecting to 10.105.150.241:12201
    2017-10-23 17:19:12 INFO nxlog-ce-2.9.1716 started

     

  • b0ti's picture
    (NXLog)

      

    • Use wireshark and check what it sends on TCP port 12201 to graylog.
    • Replace om_tcp with om_file and check the file to see if there is anything written into it.

    If you don't see any events then the query does not match any new events in the eventlog.