Request trial
Request Trial

Understanding "Exec" filtering syntax

Tags:
#1 JF_427179

I am trying to filter certain Windows Server events. I have the following code:

<Exec>
  if $EventID == '4737' AND $TargetSid == 'S-1-5-21-3629192509-3943823860-1568066966-20147' AND $SubjectUserSid == 'S-1-5-21-3629192509-3943823860-1568066966-20118'
	{
		drop();
	}
  if $SubjectUserName == 'NETVAULT$' AND $SubjectUserSid == 'S-1-5-20' AND ($ProcessName == 'C:\Program Files (x86)\Quest\NetVault Backup\pgsql\bin\postgres.exe' OR $NewProcessName == 'C:\Program Files (x86)\Quest\NetVault Backup\pgsql\bin\postgres.exe')
	{
		drop();
	}
  if $SubjectUserName == 'HVAC$' AND $SubjectUserSid == 'S-1-5-18' AND ($ProcessName == 'C:\Program Files (x86)\Delta Controls\enteliWEB\PostgreSQL\bin\postgres.exe' OR $NewProcessName == 'C:\Program Files (x86)\Delta Controls\enteliWEB\PostgreSQL\bin\postgres.exe')
	{
		drop();
	}
</Exec>

The first one says if the EventID, TargetSid, and SubjectUserSid are certain values, then drop the event.

The second says that if the SubjectUserName and SubjectUserSid are certain values and either the ProcessName or NewProcessName are a certain value, then drop the event.

The third basically is doing the same thing as the second one, except using different values.

Do I have the syntax correct for this?

Permalink
#2 rafDeactivated Nxlog ✓
#1 JF_427179
I am trying to filter certain Windows Server events. I have the following code: <Exec> if $EventID == '4737' AND $TargetSid == 'S-1-5-21-3629192509-3943823860-1568066966-20147' AND $SubjectUserSid == 'S-1-5-21-3629192509-3943823860-1568066966-20118' { drop(); } if $SubjectUserName == 'NETVAULT$' AND $SubjectUserSid == 'S-1-5-20' AND ($ProcessName == 'C:\Program Files (x86)\Quest\NetVault Backup\pgsql\bin\postgres.exe' OR $NewProcessName == 'C:\Program Files (x86)\Quest\NetVault Backup\pgsql\bin\postgres.exe') { drop(); } if $SubjectUserName == 'HVAC$' AND $SubjectUserSid == 'S-1-5-18' AND ($ProcessName == 'C:\Program Files (x86)\Delta Controls\enteliWEB\PostgreSQL\bin\postgres.exe' OR $NewProcessName == 'C:\Program Files (x86)\Delta Controls\enteliWEB\PostgreSQL\bin\postgres.exe') { drop(); } </Exec> The first one says if the EventID, TargetSid, and SubjectUserSid are certain values, then drop the event. The second says that if the SubjectUserName and SubjectUserSid are certain values and either the ProcessName or NewProcessName are a certain value, then drop the event. The third basically is doing the same thing as the second one, except using different values. Do I have the syntax correct for this?

Yes, you're right - that what the three conditionals are supposed to do.

The syntax looks well, too, but let us know in case you have any issues.

Good luck!

Rafal
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS