以下是我的 nxlog 配置
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
Module xm_json
</Extension>
<Input internal>
Module im_internal
</Input>
<Input eventlog>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
</Input>
<Output out>
Module om_tcp
Host localhost
Port 3515
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; \
to_json();
</Output>
<Route 1>
Path eventlog, internal => out
</Route>
<Select Path="Security">*</Select>\
->*
从安全日志中获取所有内容,但我的要求是获取以 EventId - 4663 开头的特定日志。我该怎么做?请帮忙。谢谢。
答案1
对 $raw_event 进行正则表达式匹配有点丑陋和低效。
我建议使用以下形式:
Exec if string($EventID) !~ /^42/ drop()
另一种方法是使用 XML 事件选择:
Query <QueryList> \
<Query Id="0">\
<Select Path="Security">*[System[(EventID='4663')]]</Select>\
</Query>\
</QueryList>
尽管看起来 starts-with 匹配在这里不起作用:
XPath 1.0 限制:
Windows 事件日志支持 XPath 1.0 的子集。查询中可以使用的函数有限制。例如,您可以在查询中使用“position”、“Band”和“timediff”函数但其他功能如“starts-with”并且“包含” 目前不支持。
答案2
我不确定您的事件是否是 INFO|WARNING|ERROR 或者什么......但是这里......
Exec if $raw_event !~ /INFO\s+4663/ drop();
快的,使用正则表达式...如果我的 $raw_event 等于“2013-11-18 15:23:02 INFO 2013-12-18 15:23:01 ahost.adomain.local INFO 62464 UVD 信息“我将使用以下内容来 DROP 事件:
Exec if $raw_event =~ /INFO\s+62464/ drop();
简短示例,您需要使用 RegEx 来准确找到访问 $raw_event 变量时所需的内容。请在测试后删除/调整“log_info”。
Exec if ($raw_event =~ /INFO\s+62464/) \
{ \
log_info('Found amdkmdag EventID 62464, dropping it.'); \
drop(); \
}
完整示例, 其中我使用 nxlog-ce(Windows)连接到 GELF 格式的 Debian/Graylog SysLog 服务器。
## This is a basic configuration file for Windows Server 2008 * 2012
## to GrayLog2 with GELF support and filtering.
## See the nxlog reference manual about the configuration options.
## It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
define ROOT C:\Program Files (x86)\nxlog
# define ROOT C:\Program Files\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension gelf>
Module xm_gelf
</Extension>
<Input pr_mseventlog>
Module im_msvistalog
ReadFromLast True
# http://msdn.microsoft.com/en-us/library/aa385231.aspx
# http://msdn.microsoft.com/en-us/library/ff604025(v=office.14).aspx
# Level 1 (ID=30 Critical) severity level events
# Level 2 (ID=40 Error) severity level events
# Level 3 (ID=50 Warning) severity level events
# Level 4 (ID=80 Information) severity level events
# Level 5 (ID=100 Verbose) severity level events
# All channels are included by default which are listed in the registry under these:
# HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System
#
# <Select Path='Key Management Service'>*</Select></Query>\
# <Select Path='Internet Explorer'>*</Select></Query>\
# <Select Path='HardwareEvents'>*</Select></Query>\
#
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">*</Select>\
<Select Path="System">*[System/Level=4]</Select>\
<Select Path="Application">*[Application/Level=2]</Select>\
<Select Path="Setup">*[System/Level=3]</Select>\
<Select Path='Windows PowerShell'>*</Select>\
</Query>\
</QueryList>
# REGEX EXAMPLES:
# "\s" equals one white space character, and ".*" equals any one char
# Line Contains both "bubble" and "gum"
# Search pattern: ^(?=.*?\bbubble\b)(?=.*?\bgum\b).*
# Line does Not Contain "boy"
# Search pattern: ^(?!.*boy).*
# Line Contains "bubble" but Neither "gum" Nor "bath"
# Search pattern: ^(?=.*bubble)(?!.*gum)(?!.*bath).*
# Uncomment next line to view all logs, we can view output to help
# create the regex, next line shows my $raw_event data to parse:
# 2013-11-18 15:23:02 INFO 2013-12-18 15:23:01 ahost.adomain.local INFO 62464 UVD Information
# Exec log_info($raw_event) ;
Exec if ($raw_event =~ /INFO\s+62464/) drop();
</Input>
<Output out>
Module om_udp
Host 10.247.x.x
Port 12201
OutputType GELF
</Output>
<Route 1>
Path pr_mseventlog => out
</Route>
答案3
您很可能在这里找到问题的答案: