1
response

Config works without <QueryXML> lines.
When i add thoose lines it stops sends any data.
I tested with user modification or login fail etc.

Thanks for your help

<Extension syslog>
Module xm_syslog
</Extension>

<Extension xml>
Module xm_xml
</Extension>

<Input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Security">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and (EventID=1102 or EventID=4719 or EventID=4704 or EventID=4717 or EventID=4738 or EventID=4798 or EventID=4705 or EventID=4674 or EventID=4697 or EventID=4648 or EventID=4723 or EventID=4946 or EventID=4950 or EventID=6416 or EventID=6424 or EventID=4732)]]</Select>
</Query>
</QueryList>
</QueryXML>
Exec $Message = to_xml(); to_syslog_bsd();
</Input>

<Output tcp>
Module om_tcp
Host 127.0.0.1
Port 514
</Output>

<Route eventlog_to_tcp>
Path eventlog => tcp
</Route>

AskedMarch 14, 2022 - 2:21pm

Answer (1)

Hi Anıl,

There is nothing wrong with the query itself. You're probably not getting logs immediately because the events that passed the filter specified is yet to be created.

I hope this helps.

Regards,

Jeffron