使用nxlog查询事件日志中的特定日志

在$ raw_event上做一个正则expression式匹配是有点丑陋和低效的。

我build议使用下面的forms：

 Exec if string($EventID) !~ /^42/ drop() 

另一种方法是使用XML事件select：

 Query <QueryList> \ <Query Id="0">\ <Select Path="Security">*[System[(EventID='4663')]]</Select>\ </Query>\ </QueryList> 

虽然看起来像开始与比赛不会在这里工作：

XPath 1.0限制：

Windows事件日志支持XPath 1.0的一个子集。 在查询中有什么function是有限制的。 例如，您可以在查询中使用“position”，“Band”和“timediff”函数， 但 当前不支持 “starts-with”和“contains” 等其他函数 。

我不确定你的活动是INFO | WARNING | ERROR还是…但是这里…

 Exec if $raw_event !~ /INFO\s+4663/ drop(); 

快，使用正则expression式…如果我的$ raw_event等于“ 2013-11-18 15:23:02 INFO 2013-12-18 15:23:01 ahost.adomain.local信息62464 UVD信息 ”我会用下面的DROP事件：

 Exec if $raw_event =~ /INFO\s+62464/ drop(); 

简短的例子，你需要使用正则expression式准确地find你访问$ raw_eventvariables时所需要的东西。 testing后请移除/调整“log_info”。

 Exec if ($raw_event =~ /INFO\s+62464/) \ { \ log_info('Found amdkmdag EventID 62464, dropping it.'); \ drop(); \ } 

完整的例子，我使用nxlog-ce（Windows）以GELF格式的Debian / Graylog SysLog服务器。

 ## This is a basic configuration file for Windows Server 2008 * 2012 ## to GrayLog2 with GELF support and filtering. ## See the nxlog reference manual about the configuration options. ## It should be installed locally and is also available ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. define ROOT C:\Program Files (x86)\nxlog # define ROOT C:\Program Files\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension gelf> Module xm_gelf </Extension> <Input pr_mseventlog> Module im_msvistalog ReadFromLast True # http://msdn.microsoft.com/en-us/library/aa385231.aspx # http://msdn.microsoft.com/en-us/library/ff604025(v=office.14).aspx # Level 1 (ID=30 Critical) severity level events # Level 2 (ID=40 Error) severity level events # Level 3 (ID=50 Warning) severity level events # Level 4 (ID=80 Information) severity level events # Level 5 (ID=100 Verbose) severity level events # All channels are included by default which are listed in the registry under these: # HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System # # <Select Path='Key Management Service'>*</Select></Query>\ # <Select Path='Internet Explorer'>*</Select></Query>\ # <Select Path='HardwareEvents'>*</Select></Query>\ # Query <QueryList>\ <Query Id="0">\ <Select Path="Security">*</Select>\ <Select Path="System">*[System/Level=4]</Select>\ <Select Path="Application">*[Application/Level=2]</Select>\ <Select Path="Setup">*[System/Level=3]</Select>\ <Select Path='Windows PowerShell'>*</Select>\ </Query>\ </QueryList> # REGEX EXAMPLES: # "\s" equals one white space character, and ".*" equals any one char # Line Contains both "bubble" and "gum" # Search pattern: ^(?=.*?\bbubble\b)(?=.*?\bgum\b).* # Line does Not Contain "boy" # Search pattern: ^(?!.*boy).* # Line Contains "bubble" but Neither "gum" Nor "bath" # Search pattern: ^(?=.*bubble)(?!.*gum)(?!.*bath).* # Uncomment next line to view all logs, we can view output to help # create the regex, next line shows my $raw_event data to parse: # 2013-11-18 15:23:02 INFO 2013-12-18 15:23:01 ahost.adomain.local INFO 62464 UVD Information # Exec log_info($raw_event) ; Exec if ($raw_event =~ /INFO\s+62464/) drop(); </Input> <Output out> Module om_udp Host 10.247.xx Port 12201 OutputType GELF </Output> <Route 1> Path pr_mseventlog => out </Route> 

你可能会在这里find你的问题的答案：

http://www.mail-archive.com/[email protected]/msg00082.html