7
responses
responses
I am trying to filter certain Windows Server events. I have the following code:
<Exec>
if $EventID == '4737' AND $TargetSid == 'S-1-5-21-3629192509-3943823860-1568066966-20147' AND $SubjectUserSid == 'S-1-5-21-3629192509-3943823860-1568066966-20118'
{
drop();
}
if $SubjectUserName == 'NETVAULT$' AND $SubjectUserSid == 'S-1-5-20' AND ($ProcessName == 'C:\Program Files (x86)\Quest\NetVault Backup\pgsql\bin\postgres.exe' OR $NewProcessName == 'C:\Program Files (x86)\Quest\NetVault Backup\pgsql\bin\postgres.exe')
{
drop();
}
if $SubjectUserName == 'HVAC$' AND $SubjectUserSid == 'S-1-5-18' AND ($ProcessName == 'C:\Program Files (x86)\Delta Controls\enteliWEB\PostgreSQL\bin\postgres.exe' OR $NewProcessName == 'C:\Program Files (x86)\Delta Controls\enteliWEB\PostgreSQL\bin\postgres.exe')
{
drop();
}
</Exec>
The first one says if the EventID, TargetSid, and SubjectUserSid are certain values, then drop the event.
The second says that if the SubjectUserName and SubjectUserSid are certain values and either the ProcessName or NewProcessName are a certain value, then drop the event.
The third basically is doing the same thing as the second one, except using different values.
Do I have the syntax correct for this?
Comments (6)
Hey, Rafal. I'm actually asking because those rules are not working for me. :) That's why I was asking if I am missing anything?
Hi, I am sorry to hear that!
do you actually get syntax errors? What's the output of
nxlog -v
?do u use this filtering with
Module im_msvistalog
? Any other directives used inside your Input block? Thanks, KonstantinosYes, I am using im_msvistalog. Here is the entire config:
It seems to be forwarding fine, but from what I can see, it's not dropping any messages. I have copied and pasted the values like 'S-1-5-21-3629192509-3943823860-1568066966-20147' to make sure they are correct.
Hi, Thanks for the output. Please produce some debug with log_info (prints at INFO log level) to confirm what are the values of the fields that you are trying to use in the conditionals:
Unlike normal windows eventlog records, ForwardedEvents put custom data under the EventData field and hence I suspect that some of the fields you are interested in might not be parsed automatically by the CE version.
Kind regards, Konstantinos
EventID
is normally an integer, not a string, so the following will be always FALSE:You should compare without the quote:
I suspect this is the culprit, I haven't tested though.
I'll try to reply back in a few days, but right now, this is looking like the ticket.
What's strange to me is that this seems to have fixed the other two statements, too...which I entirely don't understand. But I'll wait a few days before saying this is fully fixed. Thanks in any case. :)