Filter type in windows event log
Hi All, I wanted to see if I could get help with a filter for windows events. I want to get all the "security" events except those that have a word with .tmp inside, For example:
ObjectName F:\Personal\Battista\14FC4253.tmp
With the user help in chat i try with this config but doesnt work:
This is a sample configuration file. See the nxlog reference manual about the
configuration options. It should be installed locally and is also available
online at http://nxlog.org/docs/
Please set the ROOT to the folder your nxlog was installed into,
otherwise it will not start.
#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log
<Extension _gelf> #Module xm_syslog Module xm_gelf #Module xm_json </Extension>
<Input in1> Module im_msvistalog
Uncomment the following to collect specific event logs only
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
<Exec>
if $Channel == 'Security' and $ObjectName =~ /.tmp/ drop();
</Exec>
</Input>
<Output out> Module om_udp Host 172.20.5.32 Port 12201 #Exec to_syslog_snare(); OutputType GELF </Output>
<Route 1> Path in1 => out </Route>
THanks !
but doesnt work
This is an awful lot of information to help you out!