Hi guys,

I must forwarding some logs, but only of some users.
this's my current configuration.

Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

<Extension _syslog>
Module xm_syslog

<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32

<Extension _exec>
Module xm_exec

<Extension _fileop>
Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);

# Rotate our log file every week on Sunday at midnight
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);

<Input eventlog>
Module im_msvistalog
<Query Id='0'>
<Select Path='Security'>*[System[(EventID=4720 or EventID=4634 or EventID=4625 or EventID=4624 or EventID=4726)]]</Select>
Exec $Message = 'EventID: ' + $EventID +' Source: '+ $IpAddress + ' Username: ' + $TargetUserName ;

<Output tcp>
Module om_udp
Host xx.xxx.xx.xxx
Port xxx
Exec to_syslog_bsd();

<Route eventlog_to_tcp>
Path eventlog => tcp

can you help me?
thank you

AskedOctober 16, 2020 - 11:01am

Answer (1)


You need to provide the list of names to be included in the forwarding process - if you don't mind the list being hard-coded in the conf file, you may simply make put it as:

define SELECTED_USERS 'user1', 'user2',...

And then, add simple filtering, adding cause in a proper place:

Exec if $TargetUserName NOT IN %SELECTED_USERS% drop();

You might find some inspiration in im_msvistalog docs