Consulta de logs específicos do log de eventos usando o nxlog

3

Abaixo está minha configuração do nxlog

define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
    Module      xm_json
</Extension>
<Input internal>
        Module      im_internal
</Input>
<Input eventlog>
    Module  im_msvistalog
    Query   <QueryList>\
            <Query Id="0">\
            <Select Path="Security">*</Select>\
            </Query>\
            </QueryList>
    </Input>
<Output out>
    Module  om_tcp
    Host    localhost
    Port    3515
    Exec    $EventReceivedTime = integer($EventReceivedTime) / 1000000; \
            to_json();
</Output>
<Route 1>
    Path    eventlog, internal => out
</Route>

<Select Path="Security">*</Select>\ - > * obtém tudo do log de segurança, mas minha exigência é obter logs específicos a partir do EventId - 4663. Como faço isso? Por favor ajude. Obrigado.

    
por user170899 03.10.2013 / 08:12

3 respostas

3

Fazer uma correspondência de expressão regular em $ raw_event é um pouco feio e ineficiente.

Sugiro usar o seguinte formulário:

Exec if string($EventID) !~ /^42/ drop()

A alternativa é usar a seleção de eventos XML:

Query <QueryList> \
           <Query Id="0">\
              <Select Path="Security">*[System[(EventID='4663')]]</Select>\
           </Query>\
      </QueryList>

Embora pareça que a partida começa com não funcionará aqui:

XPath 1.0 Limitations:

Windows Event Log supports a subset of XPath 1.0. There are limitations to what functions work in the query. For instance, you can use the "position", "Band", and "timediff" functions within the query but other functions like "starts-with" and "contains" are not currently supported.

    
por 21.12.2013 / 22:26
1

Não sei se o seu evento é INFO | WARNING | ERROR ou o que ... mas aqui ...

Exec    if $raw_event !~ /INFO\s+4663/ drop();

Rápido, Use o Regex ... se meu $ raw_event for igual a " 2013-11-18 15:23:02 INFO 2013-12-18 15:23:01 ahost.adomain .local INFO 62464 Informação UVD "Eu usaria o seguinte para o evento DROP:

Exec    if $raw_event =~ /INFO\s+62464/ drop();

Exemplo Curto, você precisa usar o RegEx para encontrar exatamente o que precisa ao acessar a variável $ raw_event. Por favor, remova / ajuste "log_info" após o teste.

Exec if ($raw_event =~ /INFO\s+62464/) \
    { \
        log_info('Found amdkmdag EventID 62464, dropping it.'); \
        drop(); \
    }

Exemplo completo, onde eu uso o nxlog-ce (Windows) para um servidor Debian / Graylog SysLog no formato GELF.

## This is a basic configuration file for Windows Server 2008 * 2012 
## to GrayLog2 with GELF support and filtering.
## See the nxlog reference manual about the configuration options. 
## It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

define ROOT C:\Program Files (x86)\nxlog
# define ROOT C:\Program Files\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
    Module xm_gelf
</Extension>

<Input pr_mseventlog>
    Module      im_msvistalog
    ReadFromLast    True
    # http://msdn.microsoft.com/en-us/library/aa385231.aspx
    # http://msdn.microsoft.com/en-us/library/ff604025(v=office.14).aspx
    # Level 1 (ID=30  Critical)     severity level events
    # Level 2 (ID=40  Error)        severity level events
    # Level 3 (ID=50  Warning)      severity level events
    # Level 4 (ID=80  Information)  severity level events
    # Level 5 (ID=100 Verbose)      severity level events
    # All channels are included by default which are listed in the registry under these:
    # HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels 
    # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System
    #
    # <Select Path='Key Management Service'>*</Select></Query>\
    # <Select Path='Internet Explorer'>*</Select></Query>\
    # <Select Path='HardwareEvents'>*</Select></Query>\
    #
    Query   <QueryList>\
        <Query Id="0">\
            <Select Path="Security">*</Select>\
            <Select Path="System">*[System/Level=4]</Select>\
            <Select Path="Application">*[Application/Level=2]</Select>\
            <Select Path="Setup">*[System/Level=3]</Select>\
            <Select Path='Windows PowerShell'>*</Select>\
        </Query>\
    </QueryList>

    # REGEX EXAMPLES:
    # "\s" equals one white space character, and ".*" equals any one char 
    # Line Contains both "bubble" and "gum"
    #   Search pattern: ^(?=.*?\bbubble\b)(?=.*?\bgum\b).*
    # Line does Not Contain "boy"
    #   Search pattern: ^(?!.*boy).*
    # Line Contains "bubble" but Neither "gum" Nor "bath"
    #   Search pattern: ^(?=.*bubble)(?!.*gum)(?!.*bath).*

    # Uncomment next line to view all logs, we can view output to help 
    # create the regex, next line shows my $raw_event data to parse:
    # 2013-11-18 15:23:02 INFO 2013-12-18 15:23:01 ahost.adomain.local INFO 62464 UVD Information
    # Exec   log_info($raw_event) ;
    Exec if ($raw_event =~ /INFO\s+62464/) drop();

</Input>

<Output out>
    Module      om_udp
    Host        10.247.x.x
    Port        12201
    OutputType  GELF
</Output>

<Route 1>
    Path    pr_mseventlog  => out
</Route>
    
por 18.12.2013 / 22:27
0

Você provavelmente encontrará uma resposta para sua pergunta aqui:

link

    
por 22.10.2013 / 16:31