Hi all, I must send the event logs (only event ID 4626 and 4625) in the log collector Linux. can you help me with configuration? Thank you.

I'm attempting to enrich some Windows event logs with "ClientMachine" which needs to equal the hostname. I'm having issues with only some logs coming through with this enriched fields, and others do not contain the ClientMachine enrichment. My config is below. Any help would be greatly appreciated. Panic Soft define ROOT C:\Program Files\nxlog #ModuleDir %ROOT%\modules #CacheDir %ROOT%\data #SpoolDir %ROOT%\data #define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf Note that these two lines define constants only; the log file location is ultimately set by the LogFile directive (see below). The MYLOGFILE define is also used to rotate the log file automatically (see the _fileop block). define LOGDIR %ROOT%\data define MYLOGFILE %LOGDIR%\nxlog.log By default, LogFile %MYLOGFILE% is set in log4ensics.conf. This allows the log file location to be modified via NXLog Manager. If you are not using NXLog Manager, you can instead set LogFile below and disable the include line. LogFile %MYLOGFILE% <Extension _syslog> Module xm_syslog </Extension> <Input in> Module im_msvistalog </Input> <Output out> Exec $ClientMachine = hostname_fqdn(); Module om_tcp Host 192.168.1.20 Port 11105 Exec to_syslog_snare(); </Output> <Route 1> Path in => out </Route>

Hello all, I'm currently running NXLog Enterprise in Version nxlog-4.0.3550-x64 with the following config: <Input eventlog> Module im_msvistalog File C:\logs\Security.evtx </Input> <Input application> Module im_msvistalog File C:\logs\Application.evtx </Input> Trying to read-in from 2 local evtx files. In the nxlog.log I see the following error: 2019-01-21 14:34:33 ERROR ### ASSERTION FAILED at line 1945 in im_msvistalog.c/im_msvistalog_start(): "((nx_im_msvistalog_subscr_t **)(imconf->q_subs->elts))[imconf->q_subs->nelts-1]->query = imconf->_query" ### 2019-01-21 14:34:36 ERROR last message repeated 4 times 2019-01-21 14:34:36 ERROR ### ASSERTION FAILED at line 1945 in im_msvistalog.c/im_msvistalog_start(): "((nx_im_msvistalog_subscr_t **)(imconf->q_subs->elts))[imconf->q_subs->nelts-1]->query = imconf->_query" ### Do you know what I'm doing wrong here? From what I've read in the manual, the enterprise edition should be able to read evtx files. best regards, micsnare