Advanced XML filtering in Nxlog for Windows Events to help reduce noise on GrayLog


(Blake) #1

Hi Guys,

I’m trying to further filter Windows 2012 events in nxlog-ce-2.9.1716 on the server, before they reach our GrayLog 2.4.6 server. Other examples I’ve found online or in the nxlog manuals don’t seem to go into as much detail - or if they do I can’t wrap my head around it. Would love any help to resolve this and hopefully set a detailed example others can reference in the future :grinning:

  • I already have specific Windows events coming into Graylog just fine
  • I’m avoiding filtering on the GrayLog stream, want to filter before it leaves the server - as some events are really noisy
  • While below is an example of a specific event, I’m essentially after the right syntax so I can apply to multiple events
  • Open to any suggestions, if there is a better way of achieving this

So as an example, MS EventID 4776 captures domain controller logins (both successful and failed). According to MS docs, this is defined under a “Status” code. 0x0 means successful and anything else like 0xc0000064 means failed. The image below shows a failed attempt and the XML structure i’m working with.

In the nxlog.conf below. I’m attempting to filter EventID 4776. I want to only to send events that are not equal to 0x0, ie: only send failures. I’ve tried a few different ways, which prevent the nxlog windows service from starting - below will allow the service to successfully start, but no events for 4776 come through.

If anyone can please give a correct example or point me in the right direction, that would be amazing.

define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module xm_gelf
</Extension>

<Input in>
    Module      im_msvistalog
    Query <QueryList>\
    	<Query Id="0">\
			<Select Path="Security">*[System[(EventID=4720)]]</Select>\
			<Select Path="Security">*[System[(EventID=4701)]]</Select>\
			<Select Path="Security">*[System[(EventID=4756)]]</Select>\
			<Select Path="Security">*[System[(EventID=1102)]]</Select>\
			<Select Path="Security">*[System[(EventID=4776)] and *[EventData[Data[@Name='Status'] and (Data !='0x0')]]]</Select>\
		</Query>\
    </QueryList>
</Input>

<Output out>
    Module      om_udp
    Host        <removed>
    Port        <removed>
    OutputType	GELF
</Output>

<Route 1>
    Path        in => out
</Route>

(Blake) #2

If it helps anyone else, I found a workaround to my problem.

A good example of granular XML filtering can be found here.

To match a specific eventID and error code (0xc0000064), below works fine. But apparently the “not equal to” operator (!=) won’t work as explained here.

<Select Path="Security">
*[EventData[Data[@Name='Status'] and 
 (Data='0xc0000064')]] and *[System[(EventID='4776')]]
</Select>\

To suppress all successful status events (0x0) for a specific eventID and allow everything else through

#First Suppress all successful events matching status code '0x0' and EventID 4776
<Suppress Path="Security">
*[EventData[Data[@Name='Status'] and 
(Data='0x0')]] and *[System[(EventID='4776')]]
</Suppress>\

#Then allow everything else
<Select Path="Security">
*[System[(EventID=4776)]]
</Select>\

(Jan Doberstein) #3

thank you @blake that you have shared the solution with us!


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.