1
answer

Hello everybody, I'm trying to filter Windows events log with severity/level only from warning to critical, so from level 1 to 3.

Unfortunately, I tried several configurations, but the agent is still forwarding all the events. Like if there were no filters.

My specifications are, Nxlog CE Agent (version 2.10.2102) on a Windows 10 64 bits build 1803 with this conf :

   Panic Soft

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Input eventlog>
 Module im_msvistalog
<QueryXML>
    <QueryList>
        <Query Id='0'>
            <Select Path='Application'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
            <Select Path='Security'>*[System[(Level=1)]]</Select>
            <Select Path='Setup'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
            <Select Path='System'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        </Query>
    </QueryList>
</QueryXML>
</Input>

<Processor buffer>
Module pm_buffer
MaxSize 102400
Type disk
</Processor>

<Output out>
    Module  om_tcp
    Host    X.X.X.X
    Port    514
    Exec    to_syslog_snare();
</Output>

<Route 1>
 Path eventlog => buffer => out
</Route>

Am I missing something? Did something change recently in the syntax?

Thanks for your help.

Best regards :)

AskedDecember 6, 2018 - 3:22pm

Comments (1)

  • Olistra's picture

    Hello,

    I forgot to say that there is no error in the nxlog.log on the Windows machine...

    Thanks for any help.

    December 10, 2018 - 9:44am

Answer (1)

Did something change recently in the syntax?

The QueryXML syntax is the same what Windows uses. You can create and test your filter in Event Viewer and copy the XML from there into your conf.

Alternatively you can use nxlog's built-in filtering which would be similar to the following:

Exec if $Channel == 'System' and $SeverityValue < 3 drop();

See the following in the documentation:

AnsweredDecember 10, 2018 - 10:12am

Comments (1)

  • Olistra's picture

    Thanks b0ti, but it is what I did, I use the XML tab generated code from the eventviewer...

    I'm gonna try the alternative provided and let you know the result.

    Thanks again.

    December 10, 2018 - 10:19am