nxlog querylist doesn't work as expected

Question

The above link is to a copy of my nxlog.conf. I couldn't find any documentation about how to use multiple blocks within a querylist block, but based on the name I assumed that I would be able to do this. My ELK server is receiving ALL events right now, not any of the filtered ones. I wanted to just use one query block but it is limited to 10 select entries. I can't find any examples of people using more than like 3 select entries. Has anyone had any luck with more advance nxlog.conf's? Any help would be appreciated.

score 0 · Answer 1 · answered May 02 '15 at 12:20

Not sure what the issue with the query xml is. If there is a limitation on the number of select entries, that's coming from the Windows Eventlog API so that cannot be helped.

On the other hand you can use nxlog's native filtering using drop():

Query       <QueryList>\
                <Query Id="0">\
                    <Select Path="Security">*</Select>\
                </Query>\
            </QueryList>
Exec if not ($EventID == 1 or $EventID == 2 or ...) drop();

score 0 · Accepted Answer · answered May 02 '15 at 12:58

0

actually there is no issue with the XML. I was viewing old results in my database from when I was testing nxlog.conf with no queries. My bad!

answered May 02 '15 at 12:58

bravosierra99

1,331
11
23

nxlog querylist doesn't work as expected

2 Answers2