Hi All, I wanted to see if I could get help with a filter for windows events. I want to get all the "security" events except those that have a word with .tmp inside, For example:


With the user help in chat i try with this config but doesnt work:

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _gelf>
#Module xm_syslog
Module xm_gelf
#Module xm_json

<Input in1>
Module im_msvistalog
# Uncomment the following to collect specific event logs only
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
if $Channel == 'Security' and $ObjectName =~ /.tmp/ drop();

<Output out>
Module om_udp
Port 12201
#Exec to_syslog_snare();
OutputType GELF

<Route 1>
Path in1 => out

THanks !

AskedAugust 28, 2018 - 7:32pm

Comments (1)

  • Zhengshi's picture

    Knowing what the error messages are as well as the out put you are getting vs the output expected would be useful and required in troubleshooting.

Answer (1)