Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.

sending txt logs to a remote server using snare do not show logs content
#Hello, tanks in advance .
#I am sending multiple logs from windows server to a linux collector
#I have no issues with windows system logs , 
#Seems i can not send via snare windows system logs, and test plain text logs.
#Is there any way to do that?




But when i switch to snare i can see no description about the warning
2022-10-21T09:21:21+00:00 Winserver MSWinEventLog#0111#011N/A#0111#011Fri Oct 21 09:21:21 2022#011N/A#011N/A#011N/A#011N/A#011N/A#011N/A#011N/A#011#011N/A#011N/A#015

The same line with snare commented:
2022-10-21T09:18:23.208210+00:00 Winserver WARNING: Can't open file \\?\C:\...\UPPS\UPPS.BIN: Permission denied#015



#My config:


Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\App\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Extension _charconv>
    Module      xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
    Module      xm_exec
</Extension>

<Input internal>
    Module  im_internal
    Exec $Hostname = hostname_fqdn();
</Input>

<Input vistalog>
    Module  im_msvistalog
</Input>

<Input eventlog>
    Module  im_mseventlog
</Input>

<Input testFile>
  Module im_file
  SavePos True
  RenameCheck True
  Recursive True
  PollInterval 0.5 #near real time
  File "C:\\test\\myfile.txt"
  ReadFromLast True
</Input>

<Output out>
    Module  om_tcp
    Host    linux
    Port    514
    #Exec    to_syslog_snare();
</Output>

<Route r>
   # Path    internal, eventlog, vistalog, testFile => out
   Path testFile => out
</Route>

eebs
Replies: 1
View post »
jeffron
Using to_syslog_snare() but with ISO8601 date format (need timezone attached to time)
Hello. I would like to use the "to_syslog_snare()" procedure but with the use of ISO8601 timeformat so that the date and time would be formatted as "2021-05-28T07:35:49+00:00" instead of "May  28 07:35:49". How would I achieve this? Thank you!

heikis
Replies: 1
View post »
raf
Selective logging of Windows Event Log fields when forwarding to SIEM - exclude information text from the end of the log message
<p>Here is a sample event when using to_syslog_snare() in the nxlog.conf:</p>

<p>&lt;14&gt;Jan 27 10:03:39 event_computer MSWinEventLog &nbsp; &nbsp; &nbsp; &nbsp;1 &nbsp; &nbsp; &nbsp; &nbsp;Security &nbsp; &nbsp; &nbsp; &nbsp;32630749 &nbsp; &nbsp; &nbsp; &nbsp;Wed Jan 27 10:03:39 2016 &nbsp; &nbsp; &nbsp; &nbsp;4624 &nbsp; &nbsp; &nbsp; &nbsp;Microsoft-Windows-Security-Auditing &nbsp; &nbsp; &nbsp; &nbsp;N/A &nbsp; &nbsp; &nbsp; &nbsp;N/A &nbsp; &nbsp; &nbsp; &nbsp;Success Audit &nbsp; &nbsp; &nbsp; &nbsp;event_computer &nbsp; &nbsp; &nbsp; &nbsp;Logon &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;An account was successfully logged on. &nbsp; &nbsp;Subject: &nbsp; Security ID: &nbsp;S-1-0-0 &nbsp; Account Name: &nbsp;- &nbsp; Account Domain: &nbsp;- &nbsp; Logon ID: &nbsp;0x0 &nbsp; &nbsp;Logon Type: &nbsp; 3 &nbsp; &nbsp;Impersonation Level: &nbsp;Impersonation &nbsp; &nbsp;New Logon: &nbsp; Security ID: &nbsp;S-1-5-21-2705889813-1605608894-1661845433-43745 &nbsp; Account Name: &nbsp;account_name &nbsp; Account Domain: &nbsp;account_domain &nbsp; Logon ID: &nbsp;0x23820B882 &nbsp; Logon GUID: &nbsp;{00000000-0000-0000-0000-000000000000} &nbsp; &nbsp;Process Information: &nbsp; Process ID: &nbsp;0x0 &nbsp; Process Name: &nbsp;- &nbsp; &nbsp;Network Information: &nbsp; Workstation Name: workstation_name &nbsp; Source Network Address: source_address &nbsp; Source Port: &nbsp;54241 &nbsp; &nbsp;Detailed Authentication Information: &nbsp; Logon Process: &nbsp;NtLmSsp &nbsp; &nbsp;Authentication Package: NTLM &nbsp; Transited Services: - &nbsp; Package Name (NTLM only): NTLM V2 &nbsp; Key Length: &nbsp;0 &nbsp; &nbsp;This event is generated when a logon session is created. It is generated on the computer that was accessed. &nbsp; &nbsp;The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. &nbsp; &nbsp;The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). &nbsp; &nbsp;The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. &nbsp; &nbsp;The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. &nbsp; &nbsp;The impersonation level field indicates the extent to which a process in the logon session can impersonate. &nbsp; &nbsp;The authentication information fields provide detailed information about this specific logon request. &nbsp; - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. &nbsp; - Transited services indicate which intermediate services have participated in this logon request. &nbsp; - Package name indicates which sub-protocol was used among the NTLM protocols. &nbsp; - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. &nbsp; &nbsp; &nbsp; &nbsp;35284558</p>

<p>My issue is that I would NOT want to collect the "informational text" representing the event - in this case everything starting from the string "This event is generated---" all the way up until "--was requested."</p>

<p>Before I go any deeper into this, let me state that in the logs of this format I call the "&lt;14&gt;Jan 27 10:03:39 event_computer MSWinEventLog &nbsp; &nbsp; &nbsp; &nbsp;1 &nbsp; &nbsp; &nbsp; &nbsp;Security &nbsp; &nbsp; &nbsp; &nbsp;32630749 &nbsp; &nbsp; &nbsp; &nbsp;Wed Jan 27 10:03:39 2016 &nbsp; &nbsp; &nbsp; &nbsp;4624 &nbsp; &nbsp; &nbsp; &nbsp;Microsoft-Windows-Security-Auditing &nbsp; &nbsp; &nbsp; &nbsp;N/A &nbsp; &nbsp; &nbsp; &nbsp;N/A &nbsp; &nbsp; &nbsp; &nbsp;Success Audit &nbsp; &nbsp; &nbsp; &nbsp;event_computer &nbsp; &nbsp; &nbsp; &nbsp;Logon" portion of the whole log message the HEADER, and the rest is called MESSAGE.</p>

<p>Putting it another way, I would like to forward the message using syslog in a format constructed according to the pseudocode below:</p>

<p>parse fields from windows event /* e.g. SubjectUserName, LogonType, IpAddress, etc. */<br />
/* print the header "as is" already in the to_syslog_snare() format, i.e. from "&lt;14&gt;---" until and including "---Logon"<br />
print HEADER /* e.g. event_time,event_computer,event_type,event_id,... */<br />
for all fields parsed<br />
&nbsp;&nbsp; &nbsp;print "'field_name=field_value'" /* e.g. SubjectUserName=value,LogonType=value,IpAddress=value,... /*<br />
&nbsp;&nbsp; &nbsp;<br />
The reason I would like to do this is that the informational text, which gets appended to some Windows events (not all, it seems), takes a lot of space, and we do not really need this information text for anything.</p>

<p>Another way to do this would be to statically list all the fields POSSIBLY found in an Windows event and construct the message that way, but this would often leave me with a lot of empty key-value pairs. THUS I would only like to print out those fields that were found in that specific log message while leaving out the informational message.</p>

<p>I do acknowledge, though, that especially Application and System events might not contain most or any of the fields that are present in a Security log event. Take for example the following System log event:</p>

<p>&lt;14&gt;Jan 27 11:09:21 event_computer MSWinEventLog &nbsp; &nbsp; &nbsp; &nbsp;1 &nbsp; &nbsp; &nbsp; &nbsp;System &nbsp; &nbsp; &nbsp; &nbsp;32633951 &nbsp; &nbsp; &nbsp; &nbsp;Wed Jan 27 11:09:21 2016 &nbsp; &nbsp; &nbsp; &nbsp;7036 &nbsp; &nbsp; &nbsp; &nbsp;Service Control Manager &nbsp; &nbsp; &nbsp; &nbsp;N/A &nbsp; &nbsp; &nbsp; &nbsp;N/A &nbsp; &nbsp; &nbsp; &nbsp;Information &nbsp; &nbsp; &nbsp; &nbsp;event_computer &nbsp; &nbsp; &nbsp; &nbsp;N/A &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;The Remote Registry service entered the stopped state. &nbsp; &nbsp; &nbsp; &nbsp;319889</p>

<p>In the example above, the "header" portion of the whole message only contains the string "The Remote Registry service entered the stopped state." I do hope, though, that the variable where this string is stored is actually the same that hosted the string "An account was successfully logged on.", which would mean that my approach in the pseudocode would still work (i.e. the array or list of fields that is iterated and printed would only contain one field. The HEADER portion of the field is exactly the same in all messages.</p>

<p>The description of to_syslog_snare() in the nxlog documentation states:</p>

<p>"Create a SNARE Syslog formatted log message in $raw_event. Uses the following fields to construct $raw_event: $EventTime, $Hostname, $SeverityValue, $FileName, $EventID, $SourceName, $AccountName, $AccountType, $EventType, $Category, $Message."</p>

<p>Thus when reflecting back to what I said, it seems that what I call the HEADER includes all the fields from $EventTime to (and including) $Category - this I would like to keep as it is. But according to the documentation, the $Message variable actually then holds all the other information in the log, or what I call the MESSAGE portion. So I guess the question is that can the contents of the $Message variable be further filtered, as it obviously is constructed from e.g. EventData's Data fields listed below. I would like to only change the $Message contents so that it would never contain the informational text if there exists such a message in a given log message, and that preferably the Data fields inside $Message would be formatted using key-value pairs instead of the to_syslog_snare format seen in the first example (one or more whitespace as delimiter).</p>


tsigidibam
Replies: 1
View post »
adm