1
answer

Hello, We are using NXLOG to forward our windows event viewer logs to our syslog server. On our Windows clients, we have enabled process auditing, so this logs 1000s of events for every process that gets launched and terminated. There is a common event ID - 4688 when a process gets created (launched) . If we launch 5 different programs/processes on the Windows client, this in turn creates 5 events each with the same event ID 4688 but the actual message in each event contains the name of the corresponding process or program that was launched. For example

Event 4688 ... a process "cmd.exe" was launched
Event 4688 ... a process "word.exe" was launched
Event 4688 ... a process "notepad.exe" was launched
Event 4688 ... a process "abc.exe" was launched
Event 4688 ... a process "xyz.exe" was launched

My requirement is to only forward those events that are coming from a particular process say "notepad.exe" & ignore the other processes even though each one of them has same EVENT ID. Hope i am clear. Below is a snippet of the "Input" module from my nxlog.conf . How can i customize or filter my below code to filter on the process name "notepad.exe" that i want instead of sending every event 4688.

<Input in>
    Module      im_msvistalog
        ReadFromLast    True
    Query   <QueryList>\
                        <Query Id="0">\
                            <Select Path="Security">*[System[(EventID=4688]]</Select>\
                        </Query>\
        </QueryList>
</Input>
AskedFebruary 16, 2018 - 6:51pm

Answer (1)

Exec if $ProcessName !~ /notepad\.exe/ drop();

You will need to figure out the exact field name but as far as I remember the above should be correct.

AnsweredFebruary 16, 2018 - 10:04pm

Comments (1)

  • Neeraj79's picture

    Thank you b0ti. That helps. I found out one more way , here is the snippet if anyone needs

    <Select Path="Security">*[System[(EventID=4689)] and EventData[Data[@Name='ProcessName'] and (Data='C:\Program Files\System32\notepad.exe')]]</Select>\

    February 20, 2018 - 9:46pm