Text only | Text with Images

NetXMS Support Forum

English Support => General Support => Topic started by: Benjamin Dill on May 27, 2018, 10:53:40 AM

Title: Windows event log -> NX-1258
Post by: Benjamin Dill on May 27, 2018, 10:53:40 AM
Hi,
I've read in the changelog for 2.2.3 that parameters of Windows event log can be passed to the server. Is there an example how to do that?
I checked the code but my c++ is a bit rusty... I've seen that "EventData" is parsed, so can I match against these parameters in a parser rule? That would be quite useful!

Greetings,
Ben
Title: Re: Windows event log -> NX-1258
Post by: Benjamin Dill on May 27, 2018, 11:56:04 AM
Also, there seems to be a bug: When generating a NetXMS event from a Windows event the agent crashes (version 2.2.6). Nothing helpful in the log at trace level 9, it just stops after "matched":
Code Select
2018.05.27 10:51:08.559 *D* [logwatch.parser    ] Publisher name is Microsoft-Windows-Security-Auditing
2018.05.27 10:51:08.559 *D* [logwatch.parser    ] Match event: source="Microsoft-Windows-Security-Auditing" id=4768 level=8 text="Ein Kerberos-Authentifizierungsticket (TGT) wurde angefordert.
2018.05.27 10:51:08.559 *D* [logwatch.parser    ] checking rule 1 ""
2018.05.27 10:51:08.559 *D* [logwatch.parser    ]   rule has no context
2018.05.27 10:51:08.559 *D* [logwatch.parser    ]   event id 0x000012a0 not in range 0x00001211 - 0x00001211
2018.05.27 10:51:08.559 *D* [logwatch.parser    ] checking rule 2 ""
2018.05.27 10:51:08.559 *D* [logwatch.parser    ]   rule has no context
2018.05.27 10:51:08.559 *D* [logwatch.parser    ]   negated matching against regexp Ergebniscode: 0x0
2018.05.27 10:51:08.559 *D* [logwatch.parser    ]   matched
Code Select
<parser name="LogonFailure" trace="9">
   <file>*Security</file>
   <rules>
      <rule name="id4625">
         <match repeatCount="0" repeatInterval="120">(.*)</match>
         <id>4625</id>
         <source></source>
      </rule>
      <rule name="id4768">
         <match invert="true" repeatCount="0" repeatInterval="120">Ergebniscode: 0x0</match>
         <id>4768</id>
         <source></source>
<event params="1">100028</event>
      </rule>
...
Title: Re: Windows event log -> NX-1258
Post by: gdodd on May 30, 2018, 11:12:15 PM
In the rule "id4768" you have 1 parameter. In your Event 100028 you can use %1 in the message and that will be whatever you matched on.

https://www.netxms.org/documentation/adminguide/log-monitoring.html#passing-parameters-to-events (https://www.netxms.org/documentation/adminguide/log-monitoring.html#passing-parameters-to-events)
Title: Re: Windows event log -> NX-1258
Post by: Benjamin Dill on June 02, 2018, 11:58:11 AM
I know that. I was referring to these changelog entries of 2.2.3:
Quote- Additional information about captured Windows Event Log event passed to the server
QuoteNX-1258 (Option to pass event data from Windows event log to NetXMS event)
I found it out in the meantime: The additional information is accessable by the parameters-property of the event-class in NXSL. Currently the data is only accessable by array-index and the names-array is empty. I'm not sure if this is supposed to be this way...
Title: Re: Windows event log -> NX-1258
Post by: it_user1 on July 03, 2018, 10:08:56 AM
Hi, i'm interested to this option because i want use netxms agent for windows event. Now i use graylog, but if it's possible pass all event's data to netxms i will use it instead graylog
Text only | Text with Images