1
answer

I've amassed a number of EventIDs I think I want to monitor on my Win10 host. However, the error I'm receiving is:

    .\nxlog.exe -v

    INFO configuration OK
    .\nxlog.exe -f

     INFO nxlog-ce-2.10.2150 started
     ERROR failed to subscribe to msvistalog events using bookmark: the specified query is invalid.
     ERROR failed to subscribe to msvistalog events, the Query is invalid: This operator is unsupported by this implementaiton of the filter.; [error code: 15001]

The weird part is, when I remove multiple lines it works. However, when I test each line individually, it works. I assume there is a conflict between them (e.g. duplicate eventIDs). Below is the configuration and associated examples

Complete but fails .conf


#NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGFILE%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension gelf> Module xm_gelf <Extension> <input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Security'> (EventID=550) or (EventID=612) or (EventID=801) or (EventID=1102) or (EventID=1104) or (EventID=1108) or (EventID=4608) or (EventID=4616) or ((EventID=4624) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) or ((EventID=4625) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) or ((EventID=4634) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10))) or ((EventID=4648) and (TargetDomainName="domain.net")) or (EventID=4649) or ((EventID=4688) and (SubjectUserSid="/^S-1-5-21")) or ((EventID=4697) and ((ServiceName!="/^BluetoothUserService") and (ServiceName!="/^Vmware"))) or ((EventID=4698) and (SubjectUserSid="/^S-1-5-21")) or (EventID=4699) or (EventID=4704) or (EventID=4717) or (EventID=4719) or (EventID=4720) or (EventID=4726) or (EventID=4740) or (EventID=4765) or (EventID=4766) or (EventID=4794) or (EventID=4897) or (EventID=4946) or (EventID=4948) or (EventID=4950) or (EventID=4964) or (EventID=5024) or (EventID=5025) or (EventID=5030) or (EventID=5124) or ((EventID=5140) and (ShareName!="\\*C$")) or ((EventID=5142) and ((ShareName!="\\*C$") or (ShareName!="\\*\ADMINISTRATOR$"))) or (EventID=5148) or (EventID=5149) or (EventID=5154) or (EventID=5155) or (EventID=5156) or (EventID=5157) or (EventID=5158) or (EventID=5159) or (EventID=5376) or (EventID=5379) </Select> </Query> </QueryList> </QueryXML> </Input> <Output graylog> Module om_udp Host 192.168.1.1 Port 55555 OutputType GELF_UDP </Output> <Route toGraylog> Path eventlog => graylog </Route>

Cut out from above. Succeeds:

    <input eventlog>
        Module im_msvistalog
        <QueryXML>
            <QueryList>
                <Query Id='0'>
                    <Select Path='Security'>
                        (EventID=550) or
                        (EventID=612) or
                        (EventID=801) or
                        (EventID=1102) or
                        (EventID=1104) or
                        (EventID=1108) or
                        (EventID=4608) or
                        (EventID=4616) or
                        ((EventID=4624) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11)))
                        ((EventID=4625) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11)))
                        ((EventID=4634) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10)))
                        ((EventID=4648) and (TargetDomainName="domain.net")) or
                        (EventID=4649) or
                        ((EventID=4688) and (SubjectUserSid="/^S-1-5-21")) or
                        ((EventID=4697) and ((ServiceName!="/^BluetoothUserService") and (ServiceName!="/^Vmware"))) or
                        ((EventID=4698) and (SubjectUserSid="/^S-1-5-21")) or
                        (EventID=4699) or
                        (EventID=4704) or
                        (EventID=4717) or
                        (EventID=4719) or
                        (EventID=4720) or
                        (EventID=4726) or
                        (EventID=4740) or
                        (EventID=4765) or
                        (EventID=4766) or
                        (EventID=4794) or
                        (EventID=4897) or
                        (EventID=4946) or
                        (EventID=4948) or
                        (EventID=4950) or
                        (EventID=4964) or
                        (EventID=5024) or
                        (EventID=5025) or
                        (EventID=5030) or
                        (EventID=5124) or
                        ((EventID=5140) and (ShareName!="\\*C$")) or
                        ((EventID=5142) and ((ShareName!="\\*C$") or (ShareName!="\\*\ADMINISTRATOR$"))) or
                        (EventID=5148) or
                        (EventID=5149) or
                        (EventID=5154) or
                        (EventID=5155) or
                        (EventID=5156) or
                        (EventID=5157) or
                        (EventID=5158) or
                        (EventID=5159) or
                        (EventID=5376) or
                        (EventID=5379)
                    </Select>
                </Query>
            </QueryList>
        </QueryXML>
    </Input>

Fails:

    (EventID=4699) or
    (EventID=4704) or
    (EventID=4717) or
    (EventID=4719) or
    (EventID=4720) or
    (EventID=4726) or
    (EventID=4740) or
    (EventID=4765) or
    (EventID=4766) or
    (EventID=4794) or
    (EventID=4897) or
    (EventID=4946) or
    (EventID=4948) or
    (EventID=4950) or
    (EventID=4964) or
    (EventID=5024) or
    (EventID=5025) or
    (EventID=5030) or
    (EventID=5124) or
    (EventID=5148) or
    (EventID=5149) or
    (EventID=5154) or
    (EventID=5155) or
    (EventID=5156) or
    (EventID=5157) or
    (EventID=5158) or
    (EventID=5159) or
    (EventID=5376) or
    (EventID=5379)

Succeeds (Removed bottom 5):

    (EventID=4699) or
    (EventID=4704) or
    (EventID=4717) or
    (EventID=4719) or
    (EventID=4720) or
    (EventID=4726) or
    (EventID=4740) or
    (EventID=4765) or
    (EventID=4766) or
    (EventID=4794) or
    (EventID=4897) or
    (EventID=4946) or
    (EventID=4948) or
    (EventID=4950) or
    (EventID=4964) or
    (EventID=5024) or
    (EventID=5025) or
    (EventID=5030) or
    (EventID=5124) or
    (EventID=5148) or
    (EventID=5149) or
    (EventID=5154) or
    (EventID=5155) or
    (EventID=5156)

Succeeds (Added bottom 5 back and removed top 5):

    (EventID=4726) or
    (EventID=4740) or
    (EventID=4765) or
    (EventID=4766) or
    (EventID=4794) or
    (EventID=4897) or
    (EventID=4946) or
    (EventID=4948) or
    (EventID=4950) or
    (EventID=4964) or
    (EventID=5024) or
    (EventID=5025) or
    (EventID=5030) or
    (EventID=5124) or
    (EventID=5148) or
    (EventID=5149) or
    (EventID=5154) or
    (EventID=5155) or
    (EventID=5156) or
    (EventID=5157) or
    (EventID=5158) or
    (EventID=5159) or
    (EventID=5376) or
    (EventID=5379)

Thank you!

AskedMarch 11, 2020 - 8:34pm

Answer (1)

The XPath within QueryXML is passed to the EventLog API as-is, and the error message also comes from MS code. We believe there is a length limitation for the XPath query.
See the Filtering Events section for more information about this.

Comments (5)

  • Pervon's picture

    Not necessarily. I believe it is the query limit. But overall, I'm changing my approach. I haven't done so yet, but I referenced an online list of events to monitor and just going to use those. Haven't done it yet, which is why I haven't followed up with a reply, but slowly working on it. It should only take like 10 minutes since I'm just changing the eventIDs that I'm querying.

  • Pervon's picture

    Went ahead and did it. I removed all the extra specific queries and just had "(EventID=xxxx)" queries. Unsure if the specific queries added onto the limit, but I've spent too much time on this as is. My limit was 25 queries. Best of luck!

  • Pervon's picture

    Found a better method after realizing mine didn't work. https://nxlog.co/question/4623/windows-event-id-whitelist-filter-question
    Refer to paul.masek's comment.