How to send and view only Windows Security events with id 4626

202 views
Skip to first unread message

Marco Ferrara

unread,
May 17, 2019, 1:23:33 PM5/17/19
to LOGalyze List
Hi,

I searched a guide but I don't find it.
I installed the last version on windows.

Can we help me spet-by-step to configure LogAlyze to receive only Windows Security events with id 4626 from client by nxlog, or in alternative is possible that only one host send multiple security files to the server?

the nxlog conf is:
define ROOT C:\Program Files (x86)\nxlog
define ROOT_STRING C:\Program Files (x86)\\nxlog
define CERTDIR %ROOT%\\cert
Moduledir %ROOT%\\modules
CacheDir %ROOT%\\data
Pidfile %ROOT%\\data\\nxlog.pid
SpoolDir %ROOT%\\data
LogFile %ROOT%\\data\\nxlog.log

<Extension json>
Module xm_json
</Extension>
<Extension syslog>
    Module      xm_syslog
</Extension>

<Input internal>
    Module im_internal
</Input>

<Input eventlog>
    Module im_msvistalog 
    Query <QueryList>\
             <Query Id="0">\
                   <Select Path="Security">*[System[(EventID='4624')]]</Select>\
              </Query>\
           </QueryList>  
</Input>

<Output out>
    Module      om_tcp
    Host        10.0.0.0
    Port        1672
</Output>
<Route 1>
    Path        eventlog, internal => out
</Route>


but I don't understand how configure the server LogAlyze

Thanks for the support.
Marco


Reply all
Reply to author
Forward
0 new messages