NXLog drop() config for executing nxlog.exe

Hey Guys, I have the problem that NXLog send messages about executing nxlog.exe and dns.exe
like this:

The full message:
{
“Category”: “Filtering Platform Connection”,
“gl2_remote_ip”: “10.X.X.X”,
“gl2_remote_port”: 60602,
“DestPort”: “53”,
“source”: “XY.exemple.intern”,
“FilterRTID”: “445565”,
“RemoteMachineID”: “S-1-0-0”,
“SourcePort”: “43973”,
“gl2_source_input”: “63ab19ba994e010fd03cf956”,
“Direction”: “%%14592”,
“gl2_source_node”: “1311d675-37e6-4006-81e6-babe1fbb1359”,
“ProcessID”: 4,
“Protocol”: “17”,
“DestAddress”: “10.X.X.X”,
“timestamp”: “2024-07-31T05:49:38.000Z”,
“SourceAddress”: “10.0.142.143”,
“gl2_accounted_message_size”: 1033,
“level”: 6,
“LayerName”: “%%14610”,
“streams”: [
“64f58494ff56cb392ae28980”
],
“gl2_message_id”: “01J43NCFAG1N55GQ32RE0YXZS6”,
“SourceName”: “Microsoft-Windows-Security-Auditing”,
“Severity”: “INFO”,
“message”: “Von der Windows-Filterplattform wurde eine Verbindung zugelassen”,
“RemoteUserID”: “S-1-0-0”,
“full_message”: “Siehe Bild”,
ThreadID": 3928,
“LayerRTID”: “44”,
“EventID”: 5156,
“_id”: “5d9d9069-4f06-11ef-8d03-005056a46741”,
“Application”: “\device\harddiskvolume4\windows\system32\dns.exe”
}

I want to drop this events.
I ask you to vallidate this NXLog Skript.

nxlog.exe

define ROOT C:\Program Files\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension gelf>
Module xm_gelf
</Extension>
<Input in>
     Module      im_msvistalog
	<Exec>
		if  ($EventID == 5156 AND ($SourceAddress == 10.X.X.X) AND ($DestAddress == 10.X.X.X) AND ($Application == "\\device\\harddiskvolume4\\program files\\nxlog\\nxlog.exe")) drop();
	</Exec>
</Input>
 <Processor buffer>
           Module pm_buffer
           MaxSize 102400
           Type disk
 </Processor>
 
 <Output out>
     Module      om_udp
     Host        10.X.X.X
     Port        12201
     OutputType  GELF
 </Output>
 
 <Route 1>
     Path        in => buffer => out
 </Route>

dns.exe

define ROOT C:\Program Files\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension gelf>
Module xm_gelf
</Extension>
<Input in>
     Module      im_msvistalog
	<Exec>
		if (($EventID == 5156) AND ($SourceAddress == 10.X.X.X) AND ($Application == "\\device\\harddiskvolume4\\windows\\system32\\dns.exe")) drop();
	</Exec>
</Input>
 <Processor buffer>
           Module pm_buffer
           MaxSize 102400
           Type disk
 </Processor>
 
 <Output out>
     Module      om_udp
     Host        10.X.X.X
     Port        12201
     OutputType  GELF
 </Output>
 
 <Route 1>
     Path        in => buffer => out
 </Route>

Thanks for your help

Hello, I am dropping nxlog.exe and dns.exe but not targeting the EventIDs at the same time. Here are my two entries that are working:

Exec if $Application =~ /\\device\\.....\\.....\\nxlog\\nxlog.exe/ drop();
Exec if $Application =~ /dns.exe/ drop();

Hope that helps!

Yes, perfect. Thank you

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.