Hi team,

I'm getting an error during filtering activities on administrator account in WS2012. The goal is to track access and logout only for administrator account name (in $TargetUserName) that start with "admin_".

this is the conf file used:

<Input in_eventlog>
  Module      im_msvistalog
  ReadFromLast TRUE
  SavePos     TRUE
  Query     <QueryList> \
                   <Query Id="0"> \
                              <Select Path="Security">*[System[(EventID=4624)]]</Select> \
                              <Select Path="Security">*[System[(EventID=4634)]]</Select> \
                              <Select Path="Security">*[System[(EventID=4647)]]</Select> \
                              <Select Path="Security">*[System[(EventID=4648)]]</Select> \
                     </Query> \
Exec if $EventID == 4624 and string($TargetUserName) != /^admin_./ drop(); 
Exec if $EventID == 4648 and string($TargetUserName) != /^admin_./ drop(); 
Exec if $EventID == 4634 and string($TargetUserName) != /^admin_./ drop(); 
Exec if $EventID == 4647 and string($TargetUserName) != /^admin_./ drop();

<Output out_eventlog>
    Module      om_tcp
    Host        IP
    Port                PORT
    OutputType  GELF_TCP    

<Route eventlog>
  Path        in_eventlog => out_eventlog

Why it give me back an error status? ("unexpected /")

Thank you in advance

AskedOctober 31, 2018 - 12:14pm

Answer (1)