Hi,
I've read in the changelog for 2.2.3 that parameters of Windows event log can be passed to the server. Is there an example how to do that?
I checked the code but my c++ is a bit rusty... I've seen that "EventData" is parsed, so can I match against these parameters in a parser rule? That would be quite useful!
Greetings,
Ben
Also, there seems to be a bug: When generating a NetXMS event from a Windows event the agent crashes (version 2.2.6). Nothing helpful in the log at trace level 9, it just stops after "matched":
2018.05.27 10:51:08.559 *D* [logwatch.parser ] Publisher name is Microsoft-Windows-Security-Auditing
2018.05.27 10:51:08.559 *D* [logwatch.parser ] Match event: source="Microsoft-Windows-Security-Auditing" id=4768 level=8 text="Ein Kerberos-Authentifizierungsticket (TGT) wurde angefordert.
2018.05.27 10:51:08.559 *D* [logwatch.parser ] checking rule 1 ""
2018.05.27 10:51:08.559 *D* [logwatch.parser ] rule has no context
2018.05.27 10:51:08.559 *D* [logwatch.parser ] event id 0x000012a0 not in range 0x00001211 - 0x00001211
2018.05.27 10:51:08.559 *D* [logwatch.parser ] checking rule 2 ""
2018.05.27 10:51:08.559 *D* [logwatch.parser ] rule has no context
2018.05.27 10:51:08.559 *D* [logwatch.parser ] negated matching against regexp Ergebniscode: 0x0
2018.05.27 10:51:08.559 *D* [logwatch.parser ] matched
<parser name="LogonFailure" trace="9">
<file>*Security</file>
<rules>
<rule name="id4625">
<match repeatCount="0" repeatInterval="120">(.*)</match>
<id>4625</id>
<source></source>
</rule>
<rule name="id4768">
<match invert="true" repeatCount="0" repeatInterval="120">Ergebniscode: 0x0</match>
<id>4768</id>
<source></source>
<event params="1">100028</event>
</rule>
...
In the rule "id4768" you have 1 parameter. In your Event 100028 you can use %1 in the message and that will be whatever you matched on.
https://www.netxms.org/documentation/adminguide/log-monitoring.html#passing-parameters-to-events (https://www.netxms.org/documentation/adminguide/log-monitoring.html#passing-parameters-to-events)
I know that. I was referring to these changelog entries of 2.2.3:
Quote- Additional information about captured Windows Event Log event passed to the server
QuoteNX-1258 (Option to pass event data from Windows event log to NetXMS event)
I found it out in the meantime: The additional information is accessable by the parameters-property of the event-class in NXSL. Currently the data is only accessable by array-index and the names-array is empty. I'm not sure if this is supposed to be this way...
Hi, i'm interested to this option because i want use netxms agent for windows event. Now i use graylog, but if it's possible pass all event's data to netxms i will use it instead graylog