Query specific logs from event log using nxlog

loggingwindows-event-log

Below is my nxlog configuration

define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
    Module      xm_json
</Extension>
<Input internal>
        Module      im_internal
</Input>
<Input eventlog>
    Module  im_msvistalog
    Query   <QueryList>\
            <Query Id="0">\
            <Select Path="Security">*</Select>\
            </Query>\
            </QueryList>
    </Input>
<Output out>
    Module  om_tcp
    Host    localhost
    Port    3515
    Exec    $EventReceivedTime = integer($EventReceivedTime) / 1000000; \
            to_json();
</Output>
<Route 1>
    Path    eventlog, internal => out
</Route>

<Select Path="Security">*</Select>\ -> * gets everything from the Security log, but my requirement is to get specific logs starting with EventId – 4663. How do i do this? Please help. Thanks.

Best Answer

Doing a regexp match on $raw_event is a little ugly and inefficient.

I suggest using the following form:

Exec if string($EventID) !~ /^42/ drop()

The alternative is to use the XML event selection:

Query <QueryList> \
           <Query Id="0">\
              <Select Path="Security">*[System[(EventID='4663')]]</Select>\
           </Query>\
      </QueryList>

Although it looks like the starts-with match won't work here:

XPath 1.0 Limitations:

Windows Event Log supports a subset of XPath 1.0. There are limitations to what functions work in the query. For instance, you can use the "position", "Band", and "timediff" functions within the query but other functions like "starts-with" and "contains" are not currently supported.

Best Answer

Related Solutions

How to remove specific events from the event log in Windows Server 2008

Windows Event Log – How to Manage Windows Event Log Rotation

Related Topic