Hi, I install NXLog Enterprise Edition v5 trial And try to filter out events before send to SIEM. I can get some events and see SIEM side. But when I create fake event , cannot see all. What I want? I want to forward Windows server APP, SEC ve SYS logs that have only WARNING,ERROR and CRITICAL levels in CEF format Is that config part correct?
<Extension _syslog> Module xm_syslog </Extension> <Extension _cef> Module xm_cef </Extension> <Input in_jornal> Module im_msvistalog # For windows 2003 and earlier use the following: # Module im_mseventlog # Channel Security <QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'> *[System/Level<4] </Select> <Select Path='Security'> *[System/Level<4] </Select> <Select Path='System'> *[System/Level<4] </Select> </Query> </QueryList> </QueryXML>