Inverse Matching

You can use the 'Exec' statement to match inverse like so 

<Input in>
  Module im_file
  File "E:/Imports/get_accessplans/log-test.txt"
  Exec if $raw_event !~ /someThing/ drop();

However, when  you're using a pattern db this is harder as the REGEXP doesn't seem to honor inverses like you'd expect.  Instead, you must look for matches in your pattern db like normal;

<?xml version="1.0" encoding="UTF-8"?>


      <name>Identify user login success usernames</name>


        <value>windowsaccountname \r\n(\S+)</value>


Then add a section to your nxlog.conf to  take action when the above capture field doesn't existing (meaning there wasn't a regexp match) 


# Process log events 
<Processor pattern>
  Module  pm_pattern
  PatternFile %ROOT%/conf/patterndb.xml

# Using a null processor just to have a place to put the exec statement
<Processor filter>
Module pm_null
Exec if (($EventID == 501) and ($ADFSLoginSucccessID == undef)) drop();

# Output the logs out using the TCP module, convert to JSON format (important)
<Output out>
    Module      om_tcp
    Host        some.server
    Port        6379
    Exec to_json();

# Define the route by mapping the input to an output
<Route 1>
    Path        in => pattern => filter => out