Page 1 of 1
Configure nslog.conf for DFSR logging
Posted: Wed May 03, 2017 10:20 pm
by james.liew
Hi all,
I'm trying to configure the nslog client to log for DFSR replication. Like below.
I'm having trouble determining the exact Syntax to use
2017-05-04_11-15-16.png
Can I just add
<Select Path="DFS Replication">*</Select>\ in the query list?
This is my current query list:
Code: Select all
Query <QueryList>\
<Query Id="0">\
<Select Path="System">*</Select>\
<Select Path="Application">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
Re: Configure nslog.conf for DFSR logging
Posted: Thu May 04, 2017 9:58 am
by mcapra
That's what this example seems to be doing:
https://gist.github.com/grenade/3bbb336209a8859af9d1
Code: Select all
<Input filtered_eventlog>
Module im_msvistalog
ReadFromLast TRUE
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="System">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Active Directory Web Services">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="DFS Replication">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Directory Service">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="HardwareEvents">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Internet Explorer">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Key Management Service">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Application Server-Applications/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Dhcp-Client/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-DhcpNap/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Dhcpv6-Client/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Diagnosis-Scripted/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-EnrollmentPolicyWebService/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-EnrollmentWebService/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Kernel-EventTracing/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-MUI/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-PrintService/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-RemoteApp and Desktop Connections/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-PnPDevices/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="ThinPrint Diagnostics">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Windows PowerShell">*[System[Level=1 or Level=2 or Level=3]]</Select>\
</Query>\
</QueryList>
</Input>
I imagine adding an additional <Select> should be sufficient.
Re: Configure nslog.conf for DFSR logging
Posted: Fri May 05, 2017 4:07 am
by james.liew
Seems to be working after I added that line.
Will monitor for now
Re: Configure nslog.conf for DFSR logging
Posted: Fri May 05, 2017 10:42 am
by dwhitfield
Fantastic. No need to respond if it ends up working, but do let us know if you continue to have problems.