1
response

Hello,

I am having issues setting up the config file for NXlog to pull security events from DC and send to Graylog for my school Capstone project. In the log I keep getting an error "Couldnt parse Exec block at ... couldnt parse statement at line 58, character 218 in .... sytnax error, unexpected )". I utilized a config setup from NXlog documentation and adjusted for my needs. I am not sure what is wrong as the exec block looks proper to me. Here is what I have in my config file:

define SecuritySrc Microsoft-Windows-Security-Auditing

<Input DC_events>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Security">*[System[Provider[
@Name='%SecuritySrc%']]]
</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
if not (defined($SourceName) and
($EventID IN (%SecurityIDs%) and $SourceName == "%SecuritySrc%")) <------ line 58
drop();
</Exec>
</Input>

I appreciate any help on this!

AskedMarch 25, 2021 - 8:08pm

Answer (1)