How to filter eventlog and forward to graylog


(parker-chen) #1

i would like to only send a event logo 4663 to graylog which 4663 can let me know who deleted file
.but i got a error on nxlog which is “nxlog failed to start: Expected but saw at C:\Program Files (x86)\nxlog\conf\nxlog.conf:27”
Could anyone please help to look at that .

nxlog is here:

Module xm_syslog

Module xm_gelf Module im_msvistalog

Query

*[EventData[Data[@Name="ObjectType"] and (Data="File")]] 
		and
		*[System[(EventID="4663")]]

	</Select> 

        </Query>

     </QueryList>

Module om_tcp
Host 192.168.60.158
Port 12201
OutputType GELF_tcp

<Route 1>
Path in => out


(alexis) #2

I have a things like that for select an EventID:

*[System[(EventID=4608 or EventID=4609 or EventID=4624 or EventID=4634)]]


(John Buchanan) #3

A little “cheat” I like to use, if you open Event Viewer on any Windows system, then select the log you want to pull events on, say Security. On the right choose Filter Current Log, on the Events tab choose the criteria you like, perhaps nothing more than entering 3663 in the eventID box. Now click on the XML tab at the top, copy that in its entirety and paste it into the Query box for a given Collector Config Input (Windows-event-log type of course). Modify so the entire config is one line with no spaces, and you’re done. Easy way to create that query syntax without needing to type it all out.


(parker-chen) #4

I mean, i would like to only send EventID = 4663 and Category = Removable Storage, but it seem not working with this “*[EventData[Data[@Name=“ObjectType”] and (Data=“File”)]] and *[System[(EventID=“4663”)]]” … @@

anyway, the command " *[System[(EventID=“4663”)]]" is work now.


(system) closed #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.