Nagios Support Forum

Hello LOG support

You helped me to filter "Security" logs only. Now trying to filter specific multiple EventIds: 4660,4663, 4624, 5140, 560, 564..

In the sample of:
==============================================================
Query <QueryList> \
<Query Id="0">\
<Select Path="Security">*[System[(EventID='4663')]]</Select>\
</Query>\
</QueryList>
=============================================================
How do I include multiple EventIDs?

Thank you

You can query for a range of numbers like so: You can use a filter if you'd prefer.

jolson wrote:You can query for a range of numbers like so:

2015-11-30 13_00_19-Dashboard • Nagios Log Server.png

You can use a filter if you'd prefer.

We actually prefer source-based filtering (to save the WAN). Just unsure how to edit the configuration file to include say 4660, 4663 and 560 (for example)

Understood. Please see this link for excellent document that covers nxlog in detail: http://nxlog-ce.sourceforge.net/nxlog-d ... manual.pdf

That said, you will need to modify nxlog.conf on your Windows Server as follows: Let me know if that works for you. Thanks!

jolson wrote:Understood. Please see this link for excellent document that covers nxlog in detail: http://nxlog-ce.sourceforge.net/nxlog-d ... manual.pdf

That said, you will need to modify nxlog.conf on your Windows Server as follows:

Code: Select all

<Input eventlog>
    Module im_msvistalog
    Exec if not ($EventID == 4660 or $EventID == 4663 or $EventID == 560) drop();
</Input>

Let me know if that works for you. Thanks!

This worked.
Thank you very much!
- please close this case

I will now close this out, feel free to open a new thread if you need assistance in the future.