Hi All,

i'm testing the possibility of forwarding windows security logs to SIEM. Seems all ok, but i'm not able to drop messages with some values.

For example we have some event with

$TargetUsername = DWM-"1to11" (example : DWM-1)
$TargetUsername = UMFD-"1to11" (example : UMFD-4)
$TargetUsername = pcname$ (example : HOSTNAME$)
$TargetUsername = Anonymous Access

I'm able to drop "Anonymous Access" with this command :

Exec if $TargetUserName == "Anonymous Access" drop();

but with the other events, i can't use

Exec if $TargetUserName == "UMFD" drop();

because the events are multiple like UMFD-1 UMFD-2 UMFD-3, or username with "$" at the end of the $TargetUserName Value

i have tried with this configuration but seems doesn't work

Exec if $TargetUserName =~ /UMFD/ drop();
Exec if $TargetUserName =~ /DWM/ drop();
Exec if $TargetUserName =~ /$/ drop();

Can you help me?

Thanks you

AskedJanuary 28, 2021 - 7:28pm

Comments (2)

  • IB_956097's picture

    define ROOT C:\\Program Files (x86)\\nxlog
    define ROOT_STRING C:\\Program Files (x86)\\nxlog
    define CERTDIR %ROOT%\\cert

    Moduledir %ROOT%\\modules
    CacheDir %ROOT%\\data
    Pidfile %ROOT%\\data\\nxlog.pid
    SpoolDir %ROOT%\\data
    LogFile %ROOT%\\data\\nxlog.log

    define MonitoredEventIds 528, 538, 4800, 4624, 4648, 4647

    <Extension _syslog>
    Module xm_syslog

    <Extension json>
    Module xm_json

    <Input eventlog>
    Module im_msvistalog
    <Query Id='0'>
    <Select Path='Security'>*</Select>
    Exec if $EventID NOT IN (%MonitoredEventIds%) drop();
    Exec if $TargetUserName == "SYSTEM" drop();
    Exec if $TargetUserName == "ACCESSO ANONIMO" drop();
    Exec if $TargetUserName == "SERVIZIO DI RETE" drop();
    Exec if $TargetUserName == "SERVIZIO LOCALE" drop();
    Exec if $TargetUserName =~ /DWM/ drop(); ----> doesn't work (not drop DWM-1 DMW-2 DWM-3)
    Exec if $TargetUserName =~ /UMFD/ drop(); ----> doesn't work (not drop UMFD-1 UMFD-2 ...)
    Exec if $TargetUserName =~ /$/ drop(); -----> seems to drop everything (all messages)

    <Output out>
    Module om_udp
    Port 514
    Exec to_json();

    <Route eventlog_to_out>
    Path eventlog => out

Answers (0)