Filtering events at the source (multiple IDs)

[dlukinski]

Hello LOG support

You helped me to filter "Security" logs only. Now trying to filter specific multiple EventIds: 4660,4663, 4624, 5140, 560, 564..

In the sample of:
==============================================================
Query <QueryList> \
<Query Id="0">\
<Select Path="Security">*[System[(EventID='4663')]]</Select>\
</Query>\
</QueryList>
=============================================================
How do I include multiple EventIDs?

Thank you

[jolson]

You can query for a range of numbers like so:

2015-11-30 13_00_19-Dashboard • Nagios Log Server.png

You can use a filter if you'd prefer.

[dlukinski]

You can query for a range of numbers like so:

2015-11-30 13_00_19-Dashboard • Nagios Log Server.png

You can use a filter if you'd prefer.

We actually prefer source-based filtering (to save the WAN). Just unsure how to edit the configuration file to include say 4660, 4663 and 560 (for example)

[jolson]

Understood. Please see this link for excellent document that covers nxlog in detail: http://nxlog-ce.sourceforge.net/nxlog-d ... manual.pdf

That said, you will need to modify nxlog.conf on your Windows Server as follows:

Code: Select all

<Input eventlog>
    Module im_msvistalog
    Exec if not ($EventID == 4660 or $EventID == 4663 or $EventID == 560) drop();
</Input>

Let me know if that works for you. Thanks!

[dlukinski]

Understood. Please see this link for excellent document that covers nxlog in detail: http://nxlog-ce.sourceforge.net/nxlog-d ... manual.pdf

That said, you will need to modify nxlog.conf on your Windows Server as follows:

Code: Select all

<Input eventlog>
    Module im_msvistalog
    Exec if not ($EventID == 4660 or $EventID == 4663 or $EventID == 560) drop();
</Input>

Let me know if that works for you. Thanks!

This worked.
Thank you very much!
- please close this case

[rkennedy]

I will now close this out, feel free to open a new thread if you need assistance in the future.