How to send specific event id's to log server from windows

[benhank]

How would I configure NXlog to only send specific event Id's from the remote server to NLS?
I would be using the default configuration instructions provided by NLS.

For example:
On my windows server If event id 4567 is created it will be sent to NLS but no other event id's get sent.

[ssax]

Please see the bottom of this page:

https://nxlog.co/documentation/nxlog-us ... ering.html

Something like this should work:

Code: Select all

# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
    Module im_msvistalog
 
	<QueryXML>
		<QueryList>
			<Query Id='0'>
				<Select Path='System'>*</Select>
				<Select Path='Application'>*</Select>
				<Select Path='Security'>*</Select>
			</Query>
		</QueryList>
	</QueryXML>
	<Exec>
	    if not ($EventID in (12345, 22222))
	    drop();
	</Exec>
</Input>

[benhank]

Ok Ill give it a shot and thanks!

[benhank]

so just to confirm , the entire cfg should look like this:

Code: Select all

## See the nxlog reference manual at 
## http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
 
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert
 
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
 
# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
#    Module xm_fileop
#</Extension>
 
<Extension json>
    Module      xm_json
</Extension>
 
<Extension syslog>
    Module xm_syslog
</Extension>
 
<Input internal>
    Module im_internal
</Input>
 
# Watch your own files
<Input file1>
    Module   im_file
    File     '%ROOT%\data\nxlog.log'
    SavePos  TRUE
    Exec     $Message = $raw_event;
</Input>
 
# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
    Module im_msvistalog

   <QueryXML>
      <QueryList>
         <Query Id='0'>
            <Select Path='System'>*</Select>
            <Select Path='Application'>*</Select>
            <Select Path='Security'>*</Select>
         </Query>
      </QueryList>
   </QueryXML>
   <Exec>
       if not ($EventID in (12345, 22222))
       drop();
   </Exec>
</Input>

<Output out>
    Module om_tcp
    Host llogserver server name
    Port 3515
	
    Exec  $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
    Exec  $raw_event = to_json();
	
	# Uncomment for debug output
	# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>
 
<Route 1>
    Path internal, file1, eventlog => out
</Route>

[ssax]

Correct.

[benhank]

thanks you can lock it up