Request trial
Request Trial

Nxlog CE agent forwarding all Windows Events despite the query level filter

Tags: windows 10 | NXLog Community Edition | Windows Event | windows events
#1 Olistra

Hello everybody, I'm trying to filter Windows events log with severity/level only from warning to critical, so from level 1 to 3.

Unfortunately, I tried several configurations, but the agent is still forwarding all the events. Like if there were no filters.

My specifications are, Nxlog CE Agent (version 2.10.2102) on a Windows 10 64 bits build 1803 with this conf :

   Panic Soft

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Input eventlog>
 Module im_msvistalog
<QueryXML>
	<QueryList>
		<Query Id='0'>
			<Select Path='Application'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
			<Select Path='Security'>*[System[(Level=1)]]</Select>
			<Select Path='Setup'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
			<Select Path='System'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
		</Query>
	</QueryList>
</QueryXML>
</Input>

<Processor buffer>
Module pm_buffer
MaxSize 102400
Type disk
</Processor>

<Output out>
    Module  om_tcp
    Host    X.X.X.X
    Port    514
	Exec 	to_syslog_snare();
</Output>

<Route 1>
 Path eventlog => buffer => out
</Route>

Am I missing something? Did something change recently in the syntax?

Thanks for your help.

Best regards :)

Permalink
#2 Olistra
#1 Olistra
Hello everybody, I'm trying to filter Windows events log with severity/level only from warning to critical, so from level 1 to 3. Unfortunately, I tried several configurations, but the agent is still forwarding all the events. Like if there were no filters. My specifications are, Nxlog CE Agent (version 2.10.2102) on a Windows 10 64 bits build 1803 with this conf : Panic Soft define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'>*[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path='Security'>*[System[(Level=1)]]</Select> <Select Path='Setup'>*[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path='System'>*[System[(Level=1 or Level=2 or Level=3)]]</Select> </Query> </QueryList> </QueryXML> </Input> <Processor buffer> Module pm_buffer MaxSize 102400 Type disk </Processor> <Output out> Module om_tcp Host X.X.X.X Port 514 Exec to_syslog_snare(); </Output> <Route 1> Path eventlog => buffer => out </Route> Am I missing something? Did something change recently in the syntax? Thanks for your help. Best regards :)

Hello,

I forgot to say that there is no error in the nxlog.log on the Windows machine...

Thanks for any help.
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS