Request trial
Request Trial

PatternDB errors for Windows 2003

Tags:
#1 jaredtully

Hi there, a little bit of a novice here. Hope you dont mind pointing me in the right direction.

I’m having some difficulty getting the configuration for using patternDB on windows 2003 servers, the configuration works for windows 2008+

The logs I have are as follows:

2020-02-05 13:48:32 ERROR invalid keyword: Query at C:\Program Files\nxlog\conf\nxlog.conf:40
2020-02-05 13:48:32 ERROR invalid keyword: Query at C:\Program Files\nxlog\conf\nxlog.conf:76
2020-02-05 13:48:32 ERROR module 'eventlog' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:57
2020-02-05 13:48:32 ERROR module 'eventlog_Pattern' has configuration errors, not adding to route 'route_Pattern' at C:\Program Files\nxlog\conf\nxlog.conf:94
2020-02-05 13:48:32 WARNING not starting unused module eventlog
2020-02-05 13:48:32 WARNING not starting unused module eventlog_Pattern
2020-02-05 13:48:32 INFO nxlog-ce-2.10.2150 started

The section of conf is:

############################################################################
####                      NXLOG WITH PATTERNDB                         #####
####    Uncomment the following lines for Windows Events filtered      #####
############################################################################

<Input internal_Pattern>
    Module      im_internal
</Input>

<Input eventlog_Pattern>
    Module      im_msvistalog
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                        <Select Path="Security">*</Select>\
                    </Query>\
                </QueryList>
</Input>

<Processor match_events>
     Module          pm_pattern
     PatternFile     %ROOT%\conf\patterndb.xml
</Processor>

<Output out_Pattern>
    Module      om_udp
    Host        %OUTPUT_DESTINATION_ADDRESS%
    Port        %OUTPUT_DESTINATION_PORT%
    Exec        $EventTime = integer($EventTime) / 1000000;
    Exec        if not defined $PatternID or not defined $Message { drop(); }
    Exec        $Message = to_json(); to_syslog_bsd();
</Output>

<Route route_Pattern>
    Path 	eventlog_Pattern, internal_Pattern => match_events => out_Pattern
</Route>

############################################################################
#####                     /NXLOG WITH PATTERNDB                        #####
############################################################################

Thanks for reading. Please let me know if any more information needs to be included.

Permalink
#2 ArkadiyDeactivated Nxlog ✓
#1 jaredtully
Hi there, a little bit of a novice here. Hope you dont mind pointing me in the right direction. I’m having some difficulty getting the configuration for using patternDB on windows 2003 servers, the configuration works for windows 2008+ The logs I have are as follows: 2020-02-05 13:48:32 ERROR invalid keyword: Query at C:\Program Files\nxlog\conf\nxlog.conf:40 2020-02-05 13:48:32 ERROR invalid keyword: Query at C:\Program Files\nxlog\conf\nxlog.conf:76 2020-02-05 13:48:32 ERROR module 'eventlog' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:57 2020-02-05 13:48:32 ERROR module 'eventlog_Pattern' has configuration errors, not adding to route 'route_Pattern' at C:\Program Files\nxlog\conf\nxlog.conf:94 2020-02-05 13:48:32 WARNING not starting unused module eventlog 2020-02-05 13:48:32 WARNING not starting unused module eventlog_Pattern 2020-02-05 13:48:32 INFO nxlog-ce-2.10.2150 started The section of conf is: ############################################################################ #### NXLOG WITH PATTERNDB ##### #### Uncomment the following lines for Windows Events filtered ##### ############################################################################ <Input internal_Pattern> Module im_internal </Input> <Input eventlog_Pattern> Module im_msvistalog Query <QueryList>\ <Query Id="0">\ <Select Path="Application">*</Select>\ <Select Path="System">*</Select>\ <Select Path="Security">*</Select>\ </Query>\ </QueryList> </Input> <Processor match_events> Module pm_pattern PatternFile %ROOT%\conf\patterndb.xml </Processor> <Output out_Pattern> Module om_udp Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000000; Exec if not defined $PatternID or not defined $Message { drop(); } Exec $Message = to_json(); to_syslog_bsd(); </Output> <Route route_Pattern> Path eventlog_Pattern, internal_Pattern => match_events => out_Pattern </Route> ############################################################################ ##### /NXLOG WITH PATTERNDB ##### ############################################################################ Thanks for reading. Please let me know if any more information needs to be included.

Hello,

Unfortunately im_msvistalog won't work in this case, there is different logs pattern in old versions of Windows. We have module im_mseventlog for it, docs about it here: https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#im_mseventlog

Let us know, if you need more info about. Best regards, Arch
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS