Understanding "Exec" filtering syntax | Log collection solutions

#1 JF_427179 4 years ago

I am trying to filter certain Windows Server events. I have the following code:

<Exec>
  if $EventID == '4737' AND $TargetSid == 'S-1-5-21-3629192509-3943823860-1568066966-20147' AND $SubjectUserSid == 'S-1-5-21-3629192509-3943823860-1568066966-20118'
	{
		drop();
	}
  if $SubjectUserName == 'NETVAULT$' AND $SubjectUserSid == 'S-1-5-20' AND ($ProcessName == 'C:\Program Files (x86)\Quest\NetVault Backup\pgsql\bin\postgres.exe' OR $NewProcessName == 'C:\Program Files (x86)\Quest\NetVault Backup\pgsql\bin\postgres.exe')
	{
		drop();
	}
  if $SubjectUserName == 'HVAC$' AND $SubjectUserSid == 'S-1-5-18' AND ($ProcessName == 'C:\Program Files (x86)\Delta Controls\enteliWEB\PostgreSQL\bin\postgres.exe' OR $NewProcessName == 'C:\Program Files (x86)\Delta Controls\enteliWEB\PostgreSQL\bin\postgres.exe')
	{
		drop();
	}
</Exec>

The first one says if the EventID, TargetSid, and SubjectUserSid are certain values, then drop the event.

The second says that if the SubjectUserName and SubjectUserSid are certain values and either the ProcessName or NewProcessName are a certain value, then drop the event.

The third basically is doing the same thing as the second one, except using different values.

Do I have the syntax correct for this?

Permalink

#2 rafDeactivated Nxlog ✓ 4 years ago

#1 JF_427179

I am trying to filter certain Windows Server events. I have the following code: <Exec> if $EventID == '4737' AND $TargetSid == 'S-1-5-21-3629192509-3943823860-1568066966-20147' AND $SubjectUserSid == 'S-1-5-21-3629192509-3943823860-1568066966-20118' { drop(); } if $SubjectUserName == 'NETVAULT$' AND $SubjectUserSid == 'S-1-5-20' AND ($ProcessName == 'C:\Program Files (x86)\Quest\NetVault Backup\pgsql\bin\postgres.exe' OR $NewProcessName == 'C:\Program Files (x86)\Quest\NetVault Backup\pgsql\bin\postgres.exe') { drop(); } if $SubjectUserName == 'HVAC$' AND $SubjectUserSid == 'S-1-5-18' AND ($ProcessName == 'C:\Program Files (x86)\Delta Controls\enteliWEB\PostgreSQL\bin\postgres.exe' OR $NewProcessName == 'C:\Program Files (x86)\Delta Controls\enteliWEB\PostgreSQL\bin\postgres.exe') { drop(); } </Exec> The first one says if the EventID, TargetSid, and SubjectUserSid are certain values, then drop the event. The second says that if the SubjectUserName and SubjectUserSid are certain values and either the ProcessName or NewProcessName are a certain value, then drop the event. The third basically is doing the same thing as the second one, except using different values. Do I have the syntax correct for this?

Yes, you're right - that what the three conditionals are supposed to do.

The syntax looks well, too, but let us know in case you have any issues.

Good luck!

Rafal