Request trial
Request Trial

How to forward the raw XML for Windows logs

Tags:
#1 ryanswj

Hello there! I was wondering how one can forward the raw XML events (open Event Viewer, double click an event, click Details, then XML View) from the Windows Event Log to a SIEM/log file using nxlog EE.

Currently, if I don't specify any options, it ends up in a log format that isn't XML, and if I use

Exec $Message = to_xml(); to_syslog_bsd();

then I get an XML that isn't formatted the same way as the Windows Event XML, which confuses the SIEM.

Thank you!

As an aside, this is what I want:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="16384">7036</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2021-06-25T08:54:27.604250100Z" />
    <EventRecordID>718</EventRecordID>
    <Correlation />
    <Execution ProcessID="592" ThreadID="3300" />
    <Channel>System</Channel>
    <Computer>Lab-NXServer</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">Client License Service (ClipSVC)</Data>
    <Data Name="param2">running</Data>
    <Binary>43006C00690070005300560043002F0034000000</Binary>
  </EventData>
</Event>
Permalink
#2 vmilchorenaDeactivated Nxlog ✓
#1 ryanswj
Hello there! I was wondering how one can forward the raw XML events (open Event Viewer, double click an event, click Details, then XML View) from the Windows Event Log to a SIEM/log file using nxlog EE. Currently, if I don't specify any options, it ends up in a log format that isn't XML, and if I use Exec $Message = to_xml(); to_syslog_bsd(); then I get an XML that isn't formatted the same way as the Windows Event XML, which confuses the SIEM. Thank you! As an aside, this is what I want: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" /> <EventID Qualifiers="16384">7036</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2021-06-25T08:54:27.604250100Z" /> <EventRecordID>718</EventRecordID> <Correlation /> <Execution ProcessID="592" ThreadID="3300" /> <Channel>System</Channel> <Computer>Lab-NXServer</Computer> <Security /> </System> <EventData> <Data Name="param1">Client License Service (ClipSVC)</Data> <Data Name="param2">running</Data> <Binary>43006C00690070005300560043002F0034000000</Binary> </EventData> </Event>

You should be able to use only to_xml() to forward the logs to your SIEM, have you tried this and if so does it work, or is it being parsed differently by the SIEM?
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS