responses
Hi All,
i'm testing the possibility of forwarding windows security logs to SIEM. Seems all ok, but i'm not able to drop messages with some values.
For example we have some event with
$TargetUsername = DWM-"1to11" (example : DWM-1)
$TargetUsername = UMFD-"1to11" (example : UMFD-4)
$TargetUsername = pcname$ (example : HOSTNAME$)
$TargetUsername = Anonymous Access
I'm able to drop "Anonymous Access" with this command :
Exec if $TargetUserName == "Anonymous Access" drop();
but with the other events, i can't use
Exec if $TargetUserName == "UMFD" drop();
because the events are multiple like UMFD-1 UMFD-2 UMFD-3, or username with "$" at the end of the $TargetUserName Value
i have tried with this configuration but seems doesn't work
Exec if $TargetUserName =~ /UMFD/ drop();
Exec if $TargetUserName =~ /DWM/ drop();
Exec if $TargetUserName =~ /$/ drop();
Can you help me?
Thanks you
Comments (2)
Ivano,
I think here you would need to escape the dollar symbol:
Exec if $TargetUserName =~ /\$/ drop();
Can you post here your config file?
define ROOT C:\\Program Files (x86)\\nxlog
define ROOT_STRING C:\\Program Files (x86)\\nxlog
define CERTDIR %ROOT%\\cert
Moduledir %ROOT%\\modules
CacheDir %ROOT%\\data
Pidfile %ROOT%\\data\\nxlog.pid
SpoolDir %ROOT%\\data
LogFile %ROOT%\\data\\nxlog.log
define MonitoredEventIds 528, 538, 4800, 4624, 4648, 4647
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension json>
Module xm_json
</Extension>
<Input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='Security'>*</Select>
</Query>
</QueryList>
</QueryXML>
Exec if $EventID NOT IN (%MonitoredEventIds%) drop();
Exec if $TargetUserName == "SYSTEM" drop();
Exec if $TargetUserName == "ACCESSO ANONIMO" drop();
Exec if $TargetUserName == "SERVIZIO DI RETE" drop();
Exec if $TargetUserName == "SERVIZIO LOCALE" drop();
Exec if $TargetUserName =~ /DWM/ drop(); ----> doesn't work (not drop DWM-1 DMW-2 DWM-3)
Exec if $TargetUserName =~ /UMFD/ drop(); ----> doesn't work (not drop UMFD-1 UMFD-2 ...)
Exec if $TargetUserName =~ /$/ drop(); -----> seems to drop everything (all messages)
</Input>
<Output out>
Module om_udp
Host SERVERIP
Port 514
Exec to_json();
</Output>
<Route eventlog_to_out>
Path eventlog => out
</Route>