0
responses

Hi guys,

I must forwarding some logs, but only of some users.
this's my current configuration.

Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

<Extension _syslog>
Module xm_syslog
</Extension>

<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
Module xm_exec
</Extension>

<Extension _fileop>
Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>

<Input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='Security'>*[System[(EventID=4720 or EventID=4634 or EventID=4625 or EventID=4624 or EventID=4726)]]</Select>
</Query>
</QueryList>
</QueryXML>
Exec $Message = 'EventID: ' + $EventID +' Source: '+ $IpAddress + ' Username: ' + $TargetUserName ;
</Input>

<Output tcp>
Module om_udp
Host xx.xxx.xx.xxx
Port xxx
Exec to_syslog_bsd();
</Output>

<Route eventlog_to_tcp>
Path eventlog => tcp
</Route>

can you help me?
thank you

AskedOctober 16, 2020 - 11:01am

Answers (0)