Windows event log synchronization

Started by gdodd, December 16, 2020, 08:23:18 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

gdodd

December 16, 2020, 08:23:18 PM
Is there any available information regarding "Windows event log synchronization, server side parsing and agent side filtering" from the 3.6 release notes? It sounds like it is different than the Parser Definition file.

Tursiops

#1
January 15, 2021, 04:25:25 AM
You can load the agent inside the Agent Configuration:
Code Select
SubAgent=wineventsync.nsm

To enable syncing of logs, you next need to tell it which logs to monitor, see example below:
Code Select

[WinEventSync]
EventLog=Application
EventLog=Security
EventLog=System


Now you need to configure the Events you want to monitor. You can setup filters per log in a [WinEventSync/LOGNAME] section. If you don't configure any filters, you'll get everything for that log:
Code Select

[WinEventSync/Security]
IncludeEvent=4624-4625
IncludeEvent=4800-4803
...
ExcludeEvent=0-65535

[WinEventSync/System]
IncludeSource=Microsoft-Windows-WindowsUpdateClient
...
ExcludeSource=*


The above are just examples.
A few notes:

  • IncludeEvent and ExcludeEvent are for Event IDs. You can configure a range like 100-200. But you cannot add a comma separated list. You can however add multiple Include/ExcludeEvent lines.
  • If you do not configure any Include or Exclude at all, everything in that log will be synced. That's the default.
  • Explicit Includes override Excludes. So if you configure an IncludeEvent=201 and an ExcludeEvent=200-300, you will receive all Events except 200 and 202-300.
  • IncludeSource and ExcludeSource are the Sources in the given log. I expect this to basically the same as if you configured a Source in a Logwatch rule, but I have not actually tested this at all.
  • From what I can tell, you cannot configure specific combinations of Event and Source, e.g. only syncing Event ID 100 for Source MySource won't work.
  • ExcludeSource=* means exclude every source. You'll need an explicit IncludeSource to override that. But ExcludeEvent does not accept *. Here you'd need to use 0-65535 to exclude all Event IDs. That matters if you only want to collect very specific events, say from the Security log.
  • You can configure an Agent Policy with an Agent Configuration to deploy your configuration to agents.
  • DebugLevel=6 will give you debugging output related to winsyncevent (and everything else) in your agent logs
  • I have not played with the Windows Event Parser yet. But looks to me like that's basically the same as configuring a Logwatch parser rule, really. Just that it'll be processed on the NetXMS server instead of the client.

gdodd

#2
January 20, 2021, 08:20:13 PM
Thank you for the detailed response. This is exactly what I needed.
Print
Go Up Pages1
User actions