0

I currently have NxLog running on various Domain Controllers pulling out login/logout events. 

Exec if $TargetUserName =~ /(\S+\$|user1|user2|user3|user4)/ drop(); \
     else if ($EventID == 4624 or $EventID == 4625 or $EventID == 4648 or $EventID == 4768) $raw_event = "Time:" + $EventTime + ", EventID:" + $EventID + ", Keyword:" + $Status + ", LogonType:" + $LogonType + ", User:" + $TargetDomainName + "\\" + $TargetUserName + ", IPAddr:" + $IPAddress; \
     else if $raw_event =~ /^(.+)(Detailed Authentication Information:|Additional Information:)/ $raw_event = $1; if $raw_event =~ s/\t/  /g {}

While the config above works fine, in the fact that it ignores usernames with $ in it and also the ones I specified, I want to only ignore event id 4624 with those usernames in it so I can still see failed logins. I thought the following config would work but I keep getting syntax errors.

Exec if ($EventID == 4624 and $TargetUserName =~ /(\S+\$|user1|user2|user3|user4)/ drop(); \
     else if ($EventID == 4624 or $EventID == 4625 or $EventID == 4648 or $EventID == 4768) $raw_event = "Time:" + $EventTime + ", EventID:" + $EventID + ", Keyword:" + $Status + ", LogonType:" + $LogonType + ", User:" + $TargetDomainName + "\\" + $TargetUserName + ", IPAddr:" + $IPAddress; \
     else if $raw_event =~ /^(.+)(Detailed Authentication Information:|Additional Information:)/ $raw_event = $1; if $raw_event =~ s/\t/  /g {}

Any help would be greatly appreciated.

Edit: For completeness, below was my final config to rule out usernames with $ in it and then successful/Kerb events on various accounts that were chatty that I didn't care about.

Exec if $TargetUserName =~ /(\S+\$)/ drop(); \
     else if ($EventID == 4624 and $TargetUserName =~ /(user1|user2|user3|user4)/) drop(); \
     else if ($EventID == 4648 and $TargetUserName =~ /(user1|user2|user3|user4)/) drop(); \
     else if ($EventID == 4624 or $EventID == 4625 or $EventID == 4648 or $EventID == 4768) $raw_event = "Time:" + $EventTime + ", EventID:" + $EventID + ", Keyword:" + $Status + ", LogonType:" + $LogonType + ", User:" + $TargetDomainName + "\\" + $TargetUserName + ", IPAddr:" + $IPAddress; \
     else if $raw_event =~ /^(.+)(Detailed Authentication Information:|Additional Information:)/ $raw_event = $1; if $raw_event =~ s/\t/  /g {}
Eric
  • 1,383
  • 3
  • 17
  • 34

1 Answers1

0

The cause of the syntax error is that your brackets are not correctly paired. It should be like this:

Exec if ($EventID == 4624 ... ) drop(); 
        ^                     ^
b0ti
  • 986
  • 1
  • 6
  • 13
  • Omg I'm such an idiot. I guess that's what I get for trying to rush through that. Sorry for the stupid question and thank you for spotting my mistake. – Eric Jan 17 '17 at 17:19