im_msvistalog + If/Else Statement | Log collection solutions

#1 behr 3 years ago

Hi,

My working nxlog.conf relies on Query directives aimed at explicitly named Channels together with the im_msvistalog Module.

<Input blu_eventlog_iis> Module im_msvistalog

Query       &lt;QueryList&gt;\
                    &lt;Query Id=&quot;0&quot;&gt;\
                        &lt;Select Path=&quot;Microsoft-IIS-Configuration/Administrative&quot;&gt;*&lt;/Select&gt;\
                        &lt;Select Path=&quot;Microsoft-IIS-Configuration/Operational&quot;&gt;*&lt;/Select&gt;\
                        &lt;Select Path=&quot;Microsoft-IIS-Logging/Logs&quot;&gt;*&lt;/Select&gt;\
                    &lt;/Query&gt;\
                &lt;/QueryList&gt; 
    
# Filter noise from IIS schema issues
Exec if ($Message =~ /Unable to find schema/) drop();

# Workaround for local time so as to standardize to absolute microseconds since epoch
Exec $EventTime = integer($EventTime);

# JSON is required because some Windows logs contain new-line characters.
Exec $Message = to_json();

</Input>

<Output blu_out_eventlog_iis> Module om_tcp Host %SIEM% Port %PORT%

Exec to_syslog_bsd();

</Output>

<Route route_eventlog_iis> Path blu_eventlog_iis => blu_out_eventlog_iis </Route>

I hoped to clean up some 15007 errors in the nxlog.log files included below:

2020-07-06 14:42:55 ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.

I suspect the 15007 errors are being generated because IIS isn't setup. In other words, the named IIS Channels are queried but not found.

Is it possible to add an If/Else statement as part of those Query directives? Looking over the NXlog CE Manual I only see If/Else statement used with Exec. Any guidance would be greatly appreciated!

Permalink

#2 manuel.munozDeactivated Nxlog ✓ 3 years ago

#1 behr

Hi, My working nxlog.conf relies on Query directives aimed at explicitly named Channels together with the im_msvistalog Module. <Input blu_eventlog_iis> Module im_msvistalog Query <QueryList>\ <Query Id="0">\ <Select Path="Microsoft-IIS-Configuration/Administrative">*</Select>\ <Select Path="Microsoft-IIS-Configuration/Operational">*</Select>\ <Select Path="Microsoft-IIS-Logging/Logs">*</Select>\ </Query>\ </QueryList> # Filter noise from IIS schema issues Exec if ($Message =~ /Unable to find schema/) drop(); # Workaround for local time so as to standardize to absolute microseconds since epoch Exec $EventTime = integer($EventTime); # JSON is required because some Windows logs contain new-line characters. Exec $Message = to_json(); </Input> <Output blu_out_eventlog_iis> Module om_tcp Host %SIEM% Port %PORT% Exec to_syslog_bsd(); </Output> <Route route_eventlog_iis> Path blu_eventlog_iis => blu_out_eventlog_iis </Route> I hoped to clean up some 15007 errors in the nxlog.log files included below: 2020-07-06 14:42:55 ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found. I suspect the 15007 errors are being generated because IIS isn't setup. In other words, the named IIS Channels are queried but not found. Is it possible to add an If/Else statement as part of those Query directives? Looking over the NXlog CE Manual I only see If/Else statement used with Exec. Any guidance would be greatly appreciated!

The solution here to get rid of those error messages is you controling the internal logging by using im_internal (and disabling LogFile directive), and by detecting and grepping undesired messages.

https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#im_internal