7
responses

I am trying to filter certain Windows Server events. I have the following code:

<Exec>
  if $EventID == '4737' AND $TargetSid == 'S-1-5-21-3629192509-3943823860-1568066966-20147' AND $SubjectUserSid == 'S-1-5-21-3629192509-3943823860-1568066966-20118'
    {
        drop();
    }
  if $SubjectUserName == 'NETVAULT$' AND $SubjectUserSid == 'S-1-5-20' AND ($ProcessName == 'C:\Program Files (x86)\Quest\NetVault Backup\pgsql\bin\postgres.exe' OR $NewProcessName == 'C:\Program Files (x86)\Quest\NetVault Backup\pgsql\bin\postgres.exe')
    {
        drop();
    }
  if $SubjectUserName == 'HVAC$' AND $SubjectUserSid == 'S-1-5-18' AND ($ProcessName == 'C:\Program Files (x86)\Delta Controls\enteliWEB\PostgreSQL\bin\postgres.exe' OR $NewProcessName == 'C:\Program Files (x86)\Delta Controls\enteliWEB\PostgreSQL\bin\postgres.exe')
    {
        drop();
    }
</Exec>

The first one says if the EventID, TargetSid, and SubjectUserSid are certain values, then drop the event.

The second says that if the SubjectUserName and SubjectUserSid are certain values and either the ProcessName or NewProcessName are a certain value, then drop the event.

The third basically is doing the same thing as the second one, except using different values.

Do I have the syntax correct for this?

AskedOctober 13, 2020 - 6:57pm

Answer (1)

Yes, you're right - that what the three conditionals are supposed to do.

The syntax looks well, too, but let us know in case you have any issues.

Good luck!

Rafal

Comments (6)

  • konstantinos's picture
    (NXLog)

    Hi, I am sorry to hear that!

    • do you actually get syntax errors? What's the output of nxlog -v ?

    • do u use this filtering with Module im_msvistalog ? Any other directives used inside your Input block? Thanks, Konstantinos

  • JF_427179's picture

    C:\Program Files (x86)\nxlog>nxlog -v
    2020-10-15 08:12:43 INFO configuration OK
    

    Yes, I am using im_msvistalog. Here is the entire config:

    define ROOT C:\Program Files (x86)\nxlog
    
    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data
    LogFile %ROOT%\data\nxlog.log
    
    
    
    
    
    <Extension _gelf>
        Module xm_gelf
        ShortMessageLength 500
    </Extension>
    
    <Input in>
        Module  im_msvistalog
        <QueryXML>
            <QueryList>
                <Query Id='0'>
                    <Select Path='ForwardedEvents'>*</Select>
                </Query>
            </QueryList>
        </QueryXML>
        <Exec>
          if $EventID == '4737' AND $TargetSid == 'S-1-5-21-3629192509-3943823860-1568066966-20147' AND $SubjectUserSid == 'S-1-5-21-3629192509-3943823860-1568066966-20118'
        {
            drop();
        }
          if $SubjectUserName == 'NETVAULT$' AND $SubjectUserSid == 'S-1-5-20' AND ($ProcessName == 'C:\Program Files (x86)\Quest\NetVault Backup\pgsql\bin\postgres.exe' OR $NewProcessName == 'C:\Program Files (x86)\Quest\NetVault Backup\pgsql\bin\postgres.exe')
        {
            drop();
        }
          if $SubjectUserName == 'HVAC$' AND $SubjectUserSid == 'S-1-5-18' AND ($ProcessName == 'C:\Program Files (x86)\Delta Controls\enteliWEB\PostgreSQL\bin\postgres.exe' OR $NewProcessName == 'C:\Program Files (x86)\Delta Controls\enteliWEB\PostgreSQL\bin\postgres.exe')
        {
            drop();
        }
        </Exec>
    </Input>
    
    <Output out>
        Module om_tcp
        Host logs.domain.com
        Port 12201
        OutputType GELF_TCP
    </Output>
    
    <Route 1>
        Path in => out
    </Route>
    

    It seems to be forwarding fine, but from what I can see, it's not dropping any messages. I have copied and pasted the values like 'S-1-5-21-3629192509-3943823860-1568066966-20147' to make sure they are correct.

  • konstantinos's picture
    (NXLog)

    Hi, Thanks for the output. Please produce some debug with log_info (prints at INFO log level) to confirm what are the values of the fields that you are trying to use in the conditionals:

    log_info("EventID: " + $EventID);
    log_info("TargetSid: " + $TargetSid);
    log_info("SubjectUserSid: " + $SubjectUserSid);
    etc..
    

    Unlike normal windows eventlog records, ForwardedEvents put custom data under the EventData field and hence I suspect that some of the fields you are interested in might not be parsed automatically by the CE version.

    Kind regards, Konstantinos

  • b0ti's picture
    (NXLog)

    EventID is normally an integer, not a string, so the following will be always FALSE:

    $EventID == '4737'
    

    You should compare without the quote:

    $EventID == 4737
    

    I suspect this is the culprit, I haven't tested though.

  • JF_427179's picture

    I'll try to reply back in a few days, but right now, this is looking like the ticket.

    What's strange to me is that this seems to have fixed the other two statements, too...which I entirely don't understand. But I'll wait a few days before saying this is fully fixed. Thanks in any case. :)