Hello, We are using NXLOG to forward our windows event viewer logs to our syslog server. On our Windows clients, we have enabled process auditing, so this logs 1000s of events for every process that gets launched and terminated. There is a common event ID - 4688 when a process gets created (launched) . If we launch 5 different programs/processes on the Windows client, this in turn creates 5 events each with the same event ID 4688 but the actual message in each event contains the name of the corresponding process or program that was launched. For example
Event 4688 ... a process "cmd.exe" was launched
Event 4688 ... a process "word.exe" was launched
Event 4688 ... a process "notepad.exe" was launched
Event 4688 ... a process "abc.exe" was launched
Event 4688 ... a process "xyz.exe" was launched
My requirement is to only forward those events that are coming from a particular process say "notepad.exe" & ignore the other processes even though each one of them has same EVENT ID. Hope i am clear. Below is a snippet of the "Input" module from my nxlog.conf . How can i customize or filter my below code to filter on the process name "notepad.exe" that i want instead of sending every event 4688.
<Input in> Module im_msvistalog ReadFromLast True Query <QueryList>\ <Query Id="0">\ <Select Path="Security">*[System[(EventID=4688]]</Select>\ </Query>\ </QueryList> </Input>