2
responses

Hello,
I have to filter multiple log (such as System, Application) and also filter it by levels.
I'm trying to wrote a config but don't output anything.

<Input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path="System">*[System[(EventID=11150 or EventID=11151 or EventID=11152 or EventID=11153 or EventID=11154 or EventID=11155 or EventID=11162 or EventID=11163 or EventID=11164 or EventID=11165 or EventID=11166 or EventID=11167 or EventID=5773 or EventID=5774)]]</Select>
<Select Path='System'>*[System/Level=2]</Select>
<Select Path="System">*[System[(Level=2 or Level=4)][(EventID=6005 or EventID=6008)]]</Select>
<Select Path="System">*[System/Level=4[(EventID=6005 or EventID=6008)]]</Select>s
<Select Path="System">*[System/Level=3[(EventID=1031 or EventID=1053 or EventID=5053 or EventID=1129 or EventID=1131 or EventID=1135 or EventID=1206 or EventID=1211 or EventID=1216 or EventID=1553 or EventID=5553 or EventID=2057 or EventID=47 or EventID=16947 or EventID=16949 or EventID=4034 or EventID=9015 or EventID=9026)]]</Select>
<Select Path="Application">*[System/Level=2]</Select>
<Select Path="Application">*[System/Level=3[(EventID=514)]]</Select>
</QueryList>
</QueryXML>

I don't know if is the right way, it's my first time with nxlog.

Thanks a lot!

AskedSeptember 11, 2020 - 2:18pm

Answer (1)

Hello,

I'd suggest going toward a cleaner way:

First, gather your IDs in something like;

define wantedIds 11150, 11151, 11152, 11153, 11162, 9026

And next, your config can be simplified to something like this:

<Input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path="System">*[System]</Select>
<Select Path="System">*[System/Level=2 or Level=3 or Level = 4]</Select>
<Select Path="Application">*[System/Level=2 or Level=3]</Select>
Exec if $EventID NOT IN (%wantedIds%) drop();
</QueryList>
</QueryXML>

Let me know if that works for you. If not - please, let me know, bringing the rest of your config and logs.

Regards,

Rafal

Comments (1)

  • LP_577584's picture

    Hello Rafal,

    Thanks for the reply. I've tried your configuration but is still output anything. I've tried udp and file.

    Here's the full config:

    define ROOT C:\Program Files (x86)\nxlog

    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data
    LogFile %ROOT%\data\nxlog.log
    ## Eventlog

    define wantedIdsSys 6005,6008,11150,11151,11152,11153,11154,11155,11162,11163,11164,11165,11166,11167,5773,5774,1031,1053,5053,1123,1129,1131,1135,1206,1211,1216,1553,5553,2057,2094,47,16947,16949,4034,9015,9026,4624,4634,4647,4648,4625,4778,4801,4803,4723,4724

    <Extension _syslog>
    Module xm_syslog
    </Extension>

    <Extension multi>
    Module xm_multiline
    HeaderLine /^================/
    EndLine /^---------------/
    </Extension>

    <Extension xml>
    Module xm_xml
    </Extension>

    <Input eventlog>
    Module im_msvistalog
    <QueryXML>
    <QueryList>
    <Query Id='0'>
    <Select Path='System'>*[System]</Select>
    <Select Path="System">*[System/Level=2 or Level=3 or Level=4)]</Select>
    <Select Path="Security">*[System]</Select>
    Exec if $EventID NOT IN (%wantedIdsSys%) drop();
    </QueryList>
    </QueryXML>
    Exec $Message =~ s/(\t|\R)/ /g;
    #Exec to_syslog_bsd();
    #Exec $raw_event = $EventTime + "\t" + $Hostname + "\t" + $SeverityValue + "\t" + $Channel + "\t" + $EventID + "\t" + $TargetDomainName + "\\" + $TargetUserName + "\t" + $Severity + "\t" + $Hostname + "\t" + $Message; \
    #if $raw_event =~ /^(.+)(Detailed Authentication Information:|Additional Information:)/ $raw_event = $1; if $raw_event =~ s/\t/ /g {}
    </Input>

    <Output out>
    Module om_udp
    #File 'C:\Program Files (x86)\nxlog\data\out.log'
    Host 25.80.203.234
    Port 514
    Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;
    Exec to_syslog_snare();
    </Output>

    <Route 1>
    Path eventlog => out
    </Route>