Good day, Attached is my current working nxlog.conf file.
I am enabling reporting on successful login events (eventID 4624) and need to
push that to NXLog.
Including this eventID is not a problem.
What IS a problem is the filtering of the events that is sent to our Graylog.
This is an Exchange server so EventID 4624 includes allot of events I am not
interested in.
Eg.
I do not need events like this where the server name is listed.
An account was successfully logged on.
New Logon:
Security ID: domain\exservername$
Account Name: exservername$
Account Domain: xxx
Logon ID: 0x2A7F17B5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID:
{0edbcf6c-2eb7-34e1-8ab4-8f188a1e46a2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: xxx
Source Port: 43696
I DO NEED
New Logon:
Security ID: domain\username
Account Name: username
Account Domain: xxx
Logon ID: 0x2A7EF275
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID:
{00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: workstationname
Source Network Address: IP address
Source Port: 53054
I would appreciate some help to include this EventID with the filter?
Many thanks in advance!
Regards,
Nico Lambrechts
This communication is subject to the University of Fort Hare e-Mail
Disclaimer<http://www.ufh.ac.za/policies/UFH_E-mail_Disclaimer.pdf>
nxlog.conf
Description: nxlog.conf
_______________________________________________ nxlog-ce-users mailing list nxlog-ce-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
