2
responses

Hi, I install NXLog Enterprise Edition v5 trial And try to filter out events before send to SIEM. I can get some events and see SIEM side. But when I create fake event , cannot see all. What I want? I want to forward Windows server APP, SEC ve SYS logs that have only WARNING,ERROR and CRITICAL levels in CEF format Is that config part correct?

 <Extension _syslog>
Module  xm_syslog
</Extension>

<Extension _cef>
Module xm_cef
</Extension>

<Input in_jornal>
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog
# Channel Security
<QueryXML>
<QueryList>
<Query Id='0'>
    <Select Path='Application'>
        *[System/Level&lt;4]
    </Select>
    <Select Path='Security'>
        *[System/Level&lt;4]
    </Select>
    <Select Path='System'>
        *[System/Level&lt;4]
    </Select>
</Query>
</QueryList>
</QueryXML>
AskedMarch 7, 2022 - 9:46am

Comments (2)

  • NenadM's picture
    (NXLog)

    You can do two things:

    1. redirect output to a local file using the om_file module and check what is being written...just in case the problem is with the sending the logs over to the SIEM

    <Output file>
    Module om_file
    File "C:\SomeWindowsDir\SomeTxtFile.txt"
    </Output>

    2. Find your fake events in the Event Viewer and check your fake event's channel ie. does it belong to Security, System or Application. Or could it be something else...? And what is the severity of those kind of the logs. Is it below 4? In case it's not - your module is set to ignore them. Try with:

    <Select Path='Application'>*</Select>
    <Select Path='Security'>*</Select>
    <Select Path='System'>*</Select>

    and then add more filtering options as needed.

Answers (0)