3
responses

Hello folks, since weeks i am trying to get filtered informations from a domain controller but i dont get the right informations. If i choose the EVENT IDs i want to get, there comes no input on the graylog side but if i select * from Application, Security or System., all the messages are coming. but i dont want that. i only want add,modify,delete account for example. How do i have to do that? Here is one of my spectacular config files with filters:

https://pastebin.com/cptCmt9e

and thats the simple working one

https://pastebin.com/aXt5waFT

AskedJanuary 22, 2018 - 2:37pm

Answer (1)

I suspect there is an issue with the first. Did you check nxlog.log if there are any errors with the first query?

You can replace om_tcp with om_file and check what's written in the file. It will be the same what would be sent to graylog.

Comments (2)

  • b0ti's picture
    (NXLog)

    There are no matching events then.

    Are you sure this comma separated syntax is correct: EventID='5142, 5143, 5144' ?

    You should test your query in Event Viewer.