Understanding "Exec" filtering syntax

raf

Yes, you're right - that what the three conditionals are supposed to do.

The syntax looks well, too, but let us know in case you have any issues.

Good luck!

Rafal

AnsweredOctober 14, 2020 - 8:10am

Leave a comment

Comments (6)

JF_427179
Leave a comment
Hey, Rafal. I'm actually asking because those rules are not working for me. :) That's why I was asking if I am missing anything?

October 14, 2020 - 2:23pm

konstantinos (NXLog)
Leave a comment
Hi, I am sorry to hear that!

do you actually get syntax errors? What's the output of nxlog -v ?

do u use this filtering with Module im_msvistalog ? Any other directives used inside your Input block? Thanks, Konstantinos
October 15, 2020 - 12:34am

JF_427179

Leave a comment

C:\Program Files (x86)\nxlog>nxlog -v
2020-10-15 08:12:43 INFO configuration OK

Yes, I am using im_msvistalog. Here is the entire config:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log





<Extension _gelf>
    Module xm_gelf
    ShortMessageLength 500
</Extension>

<Input in>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id='0'>
                <Select Path='ForwardedEvents'>*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    <Exec>
      if $EventID == '4737' AND $TargetSid == 'S-1-5-21-3629192509-3943823860-1568066966-20147' AND $SubjectUserSid == 'S-1-5-21-3629192509-3943823860-1568066966-20118'
    {
        drop();
    }
      if $SubjectUserName == 'NETVAULT$' AND $SubjectUserSid == 'S-1-5-20' AND ($ProcessName == 'C:\Program Files (x86)\Quest\NetVault Backup\pgsql\bin\postgres.exe' OR $NewProcessName == 'C:\Program Files (x86)\Quest\NetVault Backup\pgsql\bin\postgres.exe')
    {
        drop();
    }
      if $SubjectUserName == 'HVAC$' AND $SubjectUserSid == 'S-1-5-18' AND ($ProcessName == 'C:\Program Files (x86)\Delta Controls\enteliWEB\PostgreSQL\bin\postgres.exe' OR $NewProcessName == 'C:\Program Files (x86)\Delta Controls\enteliWEB\PostgreSQL\bin\postgres.exe')
    {
        drop();
    }
    </Exec>
</Input>

<Output out>
    Module om_tcp
    Host logs.domain.com
    Port 12201
    OutputType GELF_TCP
</Output>

<Route 1>
    Path in => out
</Route>

It seems to be forwarding fine, but from what I can see, it's not dropping any messages. I have copied and pasted the values like 'S-1-5-21-3629192509-3943823860-1568066966-20147' to make sure they are correct.

October 15, 2020 - 2:16pm

konstantinos (NXLog)
Leave a comment
Hi, Thanks for the output. Please produce some debug with log_info (prints at INFO log level) to confirm what are the values of the fields that you are trying to use in the conditionals:

log_info("EventID: " + $EventID); log_info("TargetSid: " + $TargetSid); log_info("SubjectUserSid: " + $SubjectUserSid); etc..

Unlike normal windows eventlog records, ForwardedEvents put custom data under the EventData field and hence I suspect that some of the fields you are interested in might not be parsed automatically by the CE version.

Kind regards, Konstantinos
October 20, 2020 - 12:06am

b0ti (NXLog)
Leave a comment
EventID is normally an integer, not a string, so the following will be always FALSE:

$EventID == '4737'

You should compare without the quote:

$EventID == 4737

I suspect this is the culprit, I haven't tested though.
October 21, 2020 - 9:20pm

JF_427179
Leave a comment
I'll try to reply back in a few days, but right now, this is looking like the ticket.

What's strange to me is that this seems to have fixed the other two statements, too...which I entirely don't understand. But I'll wait a few days before saying this is fully fixed. Thanks in any case. :)

October 21, 2020 - 10:28pm

You are here

Understanding "Exec" filtering syntax

Answer (1)

Comments (6)