2
responses

I'm using NXLog CE to forward Windows event logs via the im_msvistalog module. There's about 161 event id's that I want to whitelist from the security log and not send anything else from the event logs.

The following config snippet works:
<Input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='Security'>*[System[(EventID=4627)]
or System[(EventID=4624)]
or System[(EventID=4775)]
or System[(EventID=4776)]
or System[(EventID=4777)]
or System[(EventID=4741)]
or System[(EventID=4742)]
or System[(EventID=4743)]
or System[(EventID=4744)]
or System[(EventID=4745)]
or System[(EventID=4746)]
or System[(EventID=4747)]
or System[(EventID=4748)]
or System[(EventID=4749)]
or System[(EventID=4750)]
or System[(EventID=4751)]
or System[(EventID=4752)]
or System[(EventID=4753)]
or System[(EventID=4759)]
or System[(EventID=4760)]
or System[(EventID=4672)]
or System[(EventID=4634)]
or System[(EventID=4648)]]
</Select>
</Query>
</QueryList>
</QueryXML>
</Input>

The issue is that once I add one more line to that config, NXLog stops shipping events completely.

Is there a better way for me to write this that would allow for more than 23 whitelisted event id's?

AskedMay 1, 2019 - 7:44pm

Answer (1)

That's most likely due to Microsoft's Windows Eventlog API. NXLog is able to cope with this filtering using its native filtering capabilities. See the DC topic for example.

Comments (1)

  • paul.masek's picture

    b0ti that did the trick. My sincerest thanks!!!

    For the record, here's the relevant snippet from my config

    define MonitoredEventIds    4774, 4775, 4776, 4777, 4741, 4742, 4743, 4744, 4745, 4746, \
                                4747, 4748, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, \
                                4762, 4763, 4782, 4793, 4727, 4728, 4729, 4730, 4731, 4732, \
                                4733, 4734, 4735, 4737, 4754, 4755, 4756, 4757, 4758, 4764, \
                                4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, \
                                4767, 4780, 4781, 4794, 5376, 5377, 4688, 4696, 4662, 5136, \
                                5137, 5138, 5139, 4625, 4634, 4647, 4624, 4625, 4648, 4675, \
                                4649, 4778, 4779, 4800, 4801, 4802, 4803, 5378, 5632, 5633, \
                                4964, 4698, 4699, 4700, 4701, 4702, 5890, 5888, 5889, 4656, \
                                4715, 4719, 4902, 4904, 4905, 4906, 4907, 4908, 4912, 4706, \
                                4707, 4713, 4716, 4717, 4718, 4739, 4864, 4865, 4866, 4867, \
                                4704, 4705, 4706, 4707, 4714, 4672, 4673, 4674, 4960, 4961, \
                                4962, 4963, 4965, 5478, 5479, 5480, 5483, 5484, 5485, 5024, \
                                5025, 5027, 5028, 5029, 5030, 5032, 5033, 5034, 5035, 5037, \
                                5058, 5059, 4608, 4609, 4616, 4621, 4610, 4611, 4614, 4622, \
                                4697, 4612, 4615, 4618, 4816, 5038, 5056, 5057, 5060, 5061, \
                                5062
    
    <Input eventlog>
        Module  im_msvistalog
        <QueryXML>
            <QueryList>
                <Query Id='0'>
                    <Select Path='Security'>*</Select>
                </Query>
            </QueryList>
        </QueryXML>
        <Exec>
            if $EventID NOT IN (%MonitoredEventIds%) drop();
        </Exec>
    </Input>