2
responses

Hi All, I wanted to see if I could get help with a filter for windows events. I want to get all the "security" events except those that have a word with .tmp inside, For example:

ObjectName
F:\Personal\Battista\14FC4253.tmp

With the user help in chat i try with this config but doesnt work:

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _gelf>
#Module xm_syslog
Module xm_gelf
#Module xm_json
</Extension>

<Input in1>
Module im_msvistalog
# Uncomment the following to collect specific event logs only
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
<Exec>
if $Channel == 'Security' and $ObjectName =~ /.tmp/ drop();
</Exec>
</Input>

<Output out>
Module om_udp
Host 172.20.5.32
Port 12201
#Exec to_syslog_snare();
OutputType GELF
</Output>

<Route 1>
Path in1 => out
</Route>

THanks !

AskedAugust 28, 2018 - 7:32pm

Comments (1)

  • Zhengshi's picture
    (NXLog)

    Knowing what the error messages are as well as the out put you are getting vs the output expected would be useful and required in troubleshooting.

Answer (1)