NetXMS Support Forum

Hi,

I'm new to NetXMS and I'm trying to get Windows Server 2008 R2 security events to appear in NetXMS event log. I'm able to get application and system events to appear, but for some reason not the security events. I've tested the same configuration on Windows XP and it works. Do you need some additinal configuration on 2008 R2? I'm using version 1.2.6.

Agent configuration:

SubAgent = logwatch.nsm
*LogWatch
Parser = C:\NetXMS\System_parser.xml
Parser = C:\NetXMS\Application_parser.xml
Parser = C:\NetXMS\Security_parser.xml

Security_parser.xml:

<parser>
  <file>*Security</file>
  <rules>
    <rule>
      <level>8</level>
      <match>(.*)</match>
      <event params="1">100006</event>
    </rule>
    <rule>
      <level>16</level>
      <match>(.*)</match>
      <event params="1">100007</event>
    </rule>
  </rules>
</parser>

Best regards,
Roger

Hi!

In Windows Vista/2008 event log API was changed significantly, and all security events now have priority Informational. This is why your filter doesn't work. I just found an article that describe these changes: http://www.eventlogblog.com/mt/mt-search.cgi?tag=Vista%20Event%20Log%20Changes&blog_id=1. As a workaround, you can remove "level" filter. For future releases I'll implement simulation of old behavior.

Best regards,
Victor

Followup: just fixed it. Agent version 1.2.7 will pass 8 and 16 to log parser as level values for audit success and audit failure events.

Best regards,
Victor

Hi,

Thank you very much. I'll test it when I get back to work. 

Best regards,
Roger