New Install - Trying to capture only Specific Event ID's

[vcissgroup]

Latest version, OVF, imported, 16GB RAM, 2VCPU.

Using the base conf file the "net start nxlog" works.

If I add this query section below doesn't start. If I add the Query XML section below doesn't start. Just trying to capture those specific events on a Domain Controller. Client installed.
Events
4625
4001

Example 1
# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog
<QueryList>
<Query Id="0">
<Select Path="System">*</Select>
<Select Path="Security">*</Select>
</Query>
</QueryList>


Example 2
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Security">*[System[(EventID=EventID=4625 or EventID=4001)]]</Select>
</Query>
</QueryList>
</QueryXML>

Service won't start regardless.

Configuration File Entire:

## See the nxlog reference manual at
## http://nxlog.org/nxlog-docs/en/nxlog-re ... anual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
# Module xm_fileop
#</Extension>

<Extension json>
Module xm_json
</Extension>

<Extension syslog>
Module xm_syslog
</Extension>

<Input internal>
Module im_internal
</Input>

# Watch your own files
<Input file1>
Module im_file
File '%ROOT%\data\nxlog.log'
SavePos TRUE
Exec $Message = $raw_event;
</Input>

# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog

# Uncomment im_mseventlog for Windows XP/2000/2003
# Module im_mseventlog
</Input>

<Output out>
Module om_tcp
Host XXX.XXX.XXX.XXX
Port 3515

Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec $raw_event = to_json();

# Uncomment for debug output
# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>

<Route 1>
Path internal, file1, eventlog => out
</Route>

[vcissgroup]

Nothing I try on client side seems to work. I cannot get this to only collect these logs and nothing else. Any reference I find says to pull it all in and filter it server side. That is just wasted data.

[vcissgroup]

Thus far, I got away with this
# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>

Now. I was previously instructed to remove all the backslashes and the first Query statement.

I did not do that this time.

It worked.

But I still only wont those two specific event ID's.

[mcapra]

Not exactly what you're looking for, but it's worth mentioning that you can drop specific messages within Nagios Log Server using a Logstash filter rule like so:

Code: Select all

if [conditions] {
    drop{}
}

So if you wanted to drop every event that is not EventID 1234 or 5678:

Code: Select all

if [EventID] not in ["1234", "5678"] {
    drop{}
}

Might need to add/remove the above quotes depending on the data type of the field (string VS integer sort of stuff).

Following your above setup, I think you just need to refine the query you're using for any given path. Right now all you have is * which matches everything, but you could write the query to match specific EventIDs like so (I think, not tested):

Code: Select all

<Select Path="System">*[System[(EventID=1234 or EventID=5678)]]</Select>\
<Select Path="Security">*[System[(EventID=1234 or EventID=5678)]]</Select>\

And if that doesn't work, we would need to see the specific failure from the nxlog log file.

Another nxlog based option would be to just drop the event with an Exec statement if it doesn't meet your conditions:

Code: Select all

Exec if $EventID NOT IN (1234,5678) drop();

Which I believe should live in your <Output> rule following the module configuration directives.

[cdienger]

Did mcapra's suggestion help?

I tested this a bit today and had little success with the query option as well, but the Exec option seemed to work. I used this input to test:

<Input eventlog>
Module im_msvistalog
Exec if ($Channel != 'SYSTEM') AND ($EventID != 7036) drop();
</Input>

These documents were a big help:

http://107.170.5.221/docs/nxlog-ce/nxlo ... msvistalog
http://107.170.5.221/docs/nxlog-ce/nxlo ... log_fields

[vcissgroup]

I'm hoping that is the case. Looks good just no time to test yet. Had to finish up Office 365 migration this weekend. I've got meetings this week scheduled with development and application support to find out what logs we can monitor and what keywords.

I'm going to test this out for sure.

I have developers that generate logs for application pools, services, and other code as well.

If we can capture just those specific error codes, would be a great value add. But I will open another thread for that.

Going to test this on on of the AD Controllers now. If the service starts, that would be the indicator.

Apologies for the delay.

[dwhitfield]

Apologies for the delay.

No need to apologize. Just let us know once you have the output. We'll be here! Well, you might have to wait until the next day depending on when you post, but we don't auto-close threads after a certain period or anything like that.

[vcissgroup]

This section below, per mcapra, allowed the service to start. Service is started. I just need to do the remaining DC's and verify on Log Server. If this works, it could essentially replace what I'm getting from the Quest tool.

Now, I did try a similar scenario on a few of the 2003 servers, not in the im_msvistalog. In the other section for 2003. Service would not start. On the 2012 R2 DC's running 2008 Native Mode, started.

# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="System">*[System[(EventID=4625)]]</Select>\
<Select Path="Security">*[System[(EventID=4001)]]</Select>\
</Query>\
</QueryList>

[vcissgroup]

I seem to have this working. What I'm missing is the Alerting. The alerting with Nagios Logger seems to be static? There are 4 queries only by default and it says to configure them using the "Dashboard"? I'm not seeing it. There has to be an easier way.

If a 4001 happens for example, I need my team to know. And this is only the beginning. I have another 100 or so servers hosting old code that have IIS pool outputs.



Query <QueryList>\
<Query Id="0">\
<Select Path="System">*[System[(EventID=4625)]]</Select>\
<Select Path="Security">*[System[(EventID=4001)]]</Select>\
<Select Path="Security">*[System[(EventID=4720)]]</Select>\
<Select Path="Security">*[System[(EventID=4722)]]</Select>\
<Select Path="Security">*[System[(EventID=4724)]]</Select>\
<Select Path="Security">*[System[(EventID=4738)]]</Select>\
<Select Path="Security">*[System[(EventID=4725)]]</Select>\
</Query>\
</QueryList>

[vcissgroup]

I guess I'm not seeing the value in Logger everyone. To pay for something that is not setup correct? NXLOG, NSClient++ installed.

The value was supposed to be the ability to filter traffic at the source to the destination. But if I cannot alert on that or send it someone else like a "Reactor" - Discontinued now?

Does no one do reactive and proactive alerting?

Is there literally no way to do proper logging without charging small to midsize companies too much money to make it a value-add?

I just want a team to get alerts when an attribute changes in Active Directory. Not stare at a screen all day. I want my team to get the alert, I want something that identifies patterns, I want something that is proactive not reactive.

I've read every book I can find on Safaribooksonline.com but they are all related to Core. Should I just drop this and go Core all the way. Force my team to learn it. Despite the fact that Microsoft is the majority player - it is the applications causing a bulk of the problems.

Particularly a customer that has had an entire team walk out (developers) and 4 leadership changes in IT in 3 years.

Which is why I was called. I took out the 4th. After they threatened to Outsource the entire team. Pay for the right to point the finger.

Does anyone of you have any respect for that?

I volunteered.