How to filter Windows Server event by level
#1
tevfikceydeliler
Hi, I install NXLog Enterprise Edition v5 trial And try to filter out events before send to SIEM. I can get some events and see SIEM side. But when I create fake event , cannot see all. What I want? I want to forward Windows server APP, SEC ve SYS logs that have only WARNING,ERROR and CRITICAL levels in CEF format Is that config part correct?
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _cef>
Module xm_cef
</Extension>
<Input in_jornal>
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog
# Channel Security
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='Application'>
*[System/Level<4]
</Select>
<Select Path='Security'>
*[System/Level<4]
</Select>
<Select Path='System'>
*[System/Level<4]
</Select>
</Query>
</QueryList>
</QueryXML>
#2
tevfikceydeliler
#1
tevfikceydeliler
Hi,
I install NXLog Enterprise Edition v5 trial
And try to filter out events before send to SIEM. I can get some events and see SIEM side. But when I create fake event , cannot see all.
What I want? I want to forward Windows server APP, SEC ve SYS logs that have only WARNING,ERROR and CRITICAL levels in CEF format
Is that config part correct?
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _cef>
Module xm_cef
</Extension>
<Input in_jornal>
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog
# Channel Security
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='Application'>
*[System/Level<4]
</Select>
<Select Path='Security'>
*[System/Level<4]
</Select>
<Select Path='System'>
*[System/Level<4]
</Select>
</Query>
</QueryList>
</QueryXML>
No idea?
