nxlog.conf filtering windows event log issues

Question

I'm trying to pull specific windows event logs using nxlog and displaying them in graylog. It is retrieving the logs just fine, however, my problem is that: Even with a query, it still seems to pull a lot of data that is not specified in the query (e.g. here I specify Application with specific eventID's that I have been testing by creating dummy logs in cmd).

For example, I am still getting System, Security and various other logs appearing in graylog.

I'm very new to this so I'm probably missing something stupid. Here's a snip from my .conf:

nxlog.conf

score 0 · Answer 1 · answered Jul 09 '17 at 12:14

0

You should be able to test the XML query in event viewer. It's exactly the same there which you can copy-paste into your nxlog.conf.

If you are not getting filtered events it's either because you did not restart NXLog or still old events are showing up in Graylog.

answered Jul 09 '17 at 12:14

b0ti

2,319
1
18
18

how do you test the XML query in event viewer? – Kixoka Jan 08 '20 at 14:17
See https://learn.microsoft.com/en-us/archive/blogs/askds/advanced-xml-filtering-in-the-windows-event-viewer – b0ti Jan 09 '20 at 15:22

nxlog.conf filtering windows event log issues

1 Answers1