3
responses

Hi all,
It's possible (using the queries) to ONLY receive logs related to all windows administrators and not related to all users?
Thanks.

AskedNovember 11, 2019 - 5:08pm

Answer (1)

Bruno,

While you stick to the agent-based approach, you can use filters and send only relevant logs to your collector.

Comments (2)

  • sec's picture

    Thanks for your reply.
    What I need to know is how to filter logon events from an administrator Logon. I already make use of the Query list statement to filter Win events but I cannot discriminate between regular users and administrators.
    I am wondering if nxlog has a function to help my problem.
    Thanks.

  • Zhengshi's picture
    (NXLog)

    I think there is no way to do this automatically in an easy way. The main filtering logic would be something like this though:
    if $AccountName NOT IN ("Administrator1", "Administrator2") drop();

    Hope that helps