Nxlog Community - Forwarding Event Log - Drop messages
Hi All,
i'm testing the possibility of forwarding windows security logs to SIEM. Seems all ok, but i'm not able to drop messages with some values.
For example we have some event with
$TargetUsername = DWM-"1to11" (example : DWM-1) $TargetUsername = UMFD-"1to11" (example : UMFD-4) $TargetUsername = pcname$ (example : HOSTNAME$) $TargetUsername = Anonymous Access
I'm able to drop "Anonymous Access" with this command :
Exec if $TargetUserName == "Anonymous Access" drop();
but with the other events, i can't use
Exec if $TargetUserName == "UMFD" drop();
because the events are multiple like UMFD-1 UMFD-2 UMFD-3, or username with "$" at the end of the $TargetUserName Value
i have tried with this configuration but seems doesn't work
Exec if $TargetUserName =~ /UMFD/ drop(); Exec if $TargetUserName =~ /DWM/ drop(); Exec if $TargetUserName =~ /$/ drop();
Can you help me?
Thanks you
Ivano,
I think here you would need to escape the dollar symbol:
Exec if $TargetUserName =~ /\$/ drop();
Can you post here your config file?
