1
answer

Hello, I am using NXLOG to capture windows event viewer logs . I have below requirements
(1) Forward Event ID 4624 events
(2) Forward Event ID 4689 events only for a specific process name (say notepad.exe) . By default 4689 is common to many processes.

Both of the above events are from "Security" category of Event Viewer. If i use below syntax, it does not work . I am guessing this is because i have repeated "Select Path = Security" twice with the same query ID. How can i configure both of the above filters together in my QUERY block ?

Query   <QueryList>\  
                        <Query Id="0">\  
            <Select Path="Security">*[System[(EventID=4624]]</Select>\  
                        <Select Path="Security">*[System[(EventID=4689)] and EventData[Data[@Name='ProcessName'] and (Data='')]]</Select>\  
                    </Query>\

Do i need to define 2 separate QUERY blocks one with ID=0 & other with ID =1 like this ?

Query   <QueryList>\  
                        <Query Id="0">\  
            <Select Path="Security">*[System[(EventID=4624]]</Select>\  
                       <Query>\  
                     <Query Id="1">\  
                        <Select Path="Security">*[System[(EventID=4689)] and EventData[Data[@Name='ProcessName'] and (Data='C:\Windows\System32\notepad.exe')]]</Select>\  
                    </Query>\
AskedFebruary 21, 2018 - 6:02pm

Answer (1)

See the microsoft documentation about event selection. There is a section titled XML Event Queries that documents how you can construct an XML Query to filter the security logs in the Windows Eventlog.

AnsweredFebruary 21, 2018 - 6:23pm