Re: [nxlog-ce-users] WIndows EventID 4624 (Success Login) filtering

[Hannah Suarez]

Hi Nico

You can try the following configuration. It supposes to filter and drop every 
record where Workstation Name wasn't specified.

<Input eventlog>
    Module          im_msvistalog
<QueryXML>
   <QueryList>
     <Query Id="0">
        <Select Path="Security">*[System[(EventID=4724 or EventID=5141 or 
EventID=4726 or EventID=4625 or EventID=4624)]]</Select>
     </Query>
   </QueryList>
</QueryXML>
Exec if $Message !~ /Workstation\sName\:\s?(\S+)/ drop();
</Input>

You can also use the Forum https://nxlog.co/community-forum for further 
questions since the support team watches there
________________________________
From: Nico Lambrechts via nxlog-ce-users <nxlog-ce-users@lists.sourceforge.net>
Sent: February 20, 2020 1:18 PM
To: nxlog-ce-users@lists.sourceforge.net <nxlog-ce-users@lists.sourceforge.net>
Subject: [nxlog-ce-users] WIndows EventID 4624 (Success Login) filtering


Good day,



Attached is my current working nxlog.conf file.



I am enabling reporting on successful login events (eventID 4624) and need to 
push that to NXLog.

Including this eventID is not a problem.

What IS a problem is the filtering of the events that is sent to our Graylog.



This is an Exchange server so EventID 4624 includes allot of events I am not 
interested in.

Eg.

I do not need events like this where the server name is listed.

An account was successfully logged on.





New Logon:

                Security ID:                            domain\exservername$

                Account Name:                     exservername$

                Account Domain:                  xxx

                Logon ID:                               0x2A7F17B5

                Linked Logon ID:                  0x0

                Network Account Name:     -

                Network Account Domain: -

                Logon GUID:                          
{0edbcf6c-2eb7-34e1-8ab4-8f188a1e46a2}



Process Information:

                Process ID:                             0x0

                Process Name:                      -



Network Information:

                Workstation Name:              -

                Source Network Address:    xxx

                Source Port:                          43696





I DO NEED

New Logon:

                Security ID:                            domain\username

                Account Name:                     username

                Account Domain:                  xxx

                Logon ID:                               0x2A7EF275

                Linked Logon ID:                  0x0

                Network Account Name:     -

                Network Account Domain: -

                Logon GUID:                          
{00000000-0000-0000-0000-000000000000}



Process Information:

                Process ID:                             0x0

                Process Name:                      -



Network Information:

                Workstation Name:              workstationname

                Source Network Address:    IP address

                Source Port:                          53054





I would appreciate some help to include this EventID with the filter?



Many thanks in advance!



Regards,



Nico Lambrechts






This communication is subject to the University of Fort Hare e-Mail 
Disclaimer<http://www.ufh.ac.za/policies/UFH_E-mail_Disclaimer.pdf>


_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users