i would like to only send a event logo 4663 to graylog which 4663 can let me know who deleted file
.but i got a error on nxlog which is “nxlog failed to start: Expected but saw at C:\Program Files (x86)\nxlog\conf\nxlog.conf:27”
Could anyone please help to look at that .
nxlog is here:
Module xm_syslog
Module xm_gelf
Module im_msvistalog
Query
*[EventData[Data[@Name="ObjectType"] and (Data="File")]]
and
*[System[(EventID="4663")]]
</Select>
</Query>
</QueryList>
Module om_tcp
Host 192.168.60.158
Port 12201
OutputType GELF_tcp
A little “cheat” I like to use, if you open Event Viewer on any Windows system, then select the log you want to pull events on, say Security. On the right choose Filter Current Log, on the Events tab choose the criteria you like, perhaps nothing more than entering 3663 in the eventID box. Now click on the XML tab at the top, copy that in its entirety and paste it into the Query box for a given Collector Config Input (Windows-event-log type of course). Modify so the entire config is one line with no spaces, and you’re done. Easy way to create that query syntax without needing to type it all out.
I mean, i would like to only send EventID = 4663 and Category = Removable Storage, but it seem not working with this “*[EventData[Data[@Name=“ObjectType”] and (Data=“File”)]] and *[System[(EventID=“4663”)]]” … @@
anyway, the command " *[System[(EventID=“4663”)]]" is work now.