Hello, I have recently been trying up a syslog-ng server for various devices and have tried a couple of things for sending Windows Events to the server.

Finally decieded that NXLog will do what I need and I have gotten sent some events over without much configuration, but when trying filter within the .conf file, it always fails. I can't really find much good information as to why it might be failing, as it seems that it should be correct.(to me anyway)

# Windows Event Log, 
<Input s_eventlog>
    Module im_msvistalog
    Exec if $EventID == 4734 or $EventID == 4624 drop(); 
    Exec $Message = to_json();

I have narrowed it down to this block, since the log says

nxlog failed to start: </Input> without matching <Input> section at C:\Program Files (x86)\nxlog\conf\nxlog.conf:43

Which is where this block ends?

I can't really make sense of this, so if anyone has some guidance please tell me.

AskedFebruary 18, 2019 - 7:41am

Answers (2)

The config snippet looks good, not sure what the problem might be. You might want to post the full config and upload it somewhere so that it is not copy-pasted.

I think you need ()
Exec if ($EventID == 4734 or $EventID == 4624) drop();
I always put them in like
Exec if ($SubjectUserSid == 'S-1-5-18') drop();