1
response

Hi ,
I'm not sure if this is NXLog Conf mistake, or I misunderstood it. The official NXLog conf file:
https://nxlog.co/documentation/nxlog-user-guide/ad-domain-controller.html

The events IDs included in the conf file, seems to be found in Domain Controller, -> Event Viewer -> Windows Logs ->Security.

But in conf file below, NXlog is trying to look for these events in "Directory Service" , with [System[Provider[ @Name='Microsoft-Windows-ActiveDirectory_DomainService']]]

I did a test and seems in "Directory Service" there is almost 0 events that listed in "HighEvents Ids", "MediumEventIds" and "LowEventIds" .

Can someone tell me if this is an mistake in the offical Nxlog conf file ?, or I'm misunderstaning the conf file configuration ?

Thanks

define HighEventIds 4618, 4649, 4719, 4765, 4766, 4794, 4897, 4964, 5124, 1102

define MediumEventIds 4621, 4675, 4692, 4693, 4706, 4713, 4714, 4715, 4716, 4724, \
4727, 4735, 4737, 4739, 4754, 4755, 4764, 4764, 4780, 4816, \
4865, 4866, 4867, 4868, 4870, 4882, 4885, 4890, 4892, 4896, \
4906, 4907, 4908, 4912, 4960, 4961, 4962, 4963, 4965, 4976, \
4977, 4978, 4983, 4984, 5027, 5028, 5029, 5030, 5035, 5037, \
5038, 5120, 5121, 5122, 5123, 5376, 5377, 5453, 5480, 5483, \
5484, 5485, 6145, 6273, 6274, 6275, 6276, 6277, 6278, 6279, \
6280, 24586, 24592, 24593, 24594

define LowEventIds 4608, 4609, 4610, 4611, 4612, 4614, 4615, 4616, 4624, 4625, \
4634, 4647, 4648, 4656, 4657, 4658, 4660, 4661, 4662, 4663, \
4672, 4673, 4674, 4688, 4689, 4690, 4691, 4696, 4697, 4698, \
4699, 4700, 4701, 4702, 4704, 4705, 4707, 4717, 4718, 4720, \
4722, 4723, 4725, 4726, 4728, 4729, 4730, 4731, 4732, 4733, \
4734, 4738, 4740, 4741, 4742, 4743, 4744, 4745, 4746, 4747, \
4748, 4749, 4750, 4751, 4752, 4753, 4756, 4757, 4758, 4759, \
4760, 4761, 4762, 4767, 4768, 4769, 4770, 4771, 4772, 4774, \
4775, 4776, 4778, 4779, 4781, 4783, 4785, 4786, 4787, 4788, \
4789, 4790, 4869, 4871, 4872, 4873, 4874, 4875, 4876, 4877, \
4878, 4879, 4880, 4881, 4883, 4884, 4886, 4887, 4888, 4889, \
4891, 4893, 4894, 4895, 4898, 5136, 5137

<Input events>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="Directory Service">
<Select Path="Directory Service">*[System[Provider[
@Name='Microsoft-Windows-ActiveDirectory_DomainService']]]
</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
if ($EventID NOT IN (%HighEventIds%)) and
($EventID NOT IN (%MediumEventIds%)) and
($EventID NOT IN (%LowEventIds%)) drop();
</Exec>
</Input>

AskedSeptember 8, 2020 - 8:43pm

Answer (1)

Hello,

Couple of questions:

1. Which version of NXLog do you use? Just FYI: you're referring to the EE docs.
2. On what Windows version are you working?
3. Do you have anything interesting in your `nxlog.log` file (or whatever you named it)?

Thanks,

Rafal