Forward Windows event logs in Log collector Linux

Hi all,

I must send the event logs (only event ID 4626 and 4625) in the log collector Linux. can you help me with configuration?

Thank you.

Emanuele created 5 years ago

Replies: 1

View post »
last updated 5 years ago

nxlog evtx windows eventlog

NXLog Enrichment

I'm attempting to enrich some Windows event logs with "ClientMachine" which needs to equal the hostname. I'm having issues with only some logs coming through with this enriched fields, and others do not contain the ClientMachine enrichment. My config is below. Any help would be greatly appreciated.

Panic Soft define ROOT C:\Program Files\nxlog #ModuleDir %ROOT%\modules #CacheDir %ROOT%\data #SpoolDir %ROOT%\data

#define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf

Note that these two lines define constants only; the log file location

is ultimately set by the `LogFile` directive (see below). The

`MYLOGFILE` define is also used to rotate the log file automatically

(see the `_fileop` block).

define LOGDIR %ROOT%\data define MYLOGFILE %LOGDIR%\nxlog.log

By default, `LogFile %MYLOGFILE%` is set in log4ensics.conf. This

allows the log file location to be modified via NXLog Manager. If you

are not using NXLog Manager, you can instead set `LogFile` below and

disable the `include` line.

LogFile %MYLOGFILE%

<Extension _syslog> Module xm_syslog </Extension>

<Input in> Module im_msvistalog </Input>

<Output out> Exec $ClientMachine = hostname_fqdn(); Module om_tcp Host 192.168.1.20 Port 11105 Exec to_syslog_snare(); </Output>

JacobY created 6 years ago

Replies: 3

View post »
last updated 5 years ago

nxlog evtx windows eventlog

NXLog Enterprise and EVTX (eventlog) files

Hello all, I'm currently running NXLog Enterprise in Version nxlog-4.0.3550-x64 with the following config: Module im_msvistalog File C:\logs\Security.evtx Module im_msvistalog File C:\logs\Application.evtx Trying to read-in from 2 local evtx files. In the nxlog.log I see the following error: 2019-01-21 14:34:33 ERROR ### ASSERTION FAILED at line 1945 in im_msvistalog.c/im_msvistalog_start(): "((nx_im_msvistalog_subscr_t **)(imconf->q_subs->elts))[imconf->q_subs->nelts-1]->query = imconf->_query" ### 2019-01-21 14:34:36 ERROR last message repeated 4 times 2019-01-21 14:34:36 ERROR ### ASSERTION FAILED at line 1945 in im_msvistalog.c/im_msvistalog_start(): "((nx_im_msvistalog_subscr_t **)(imconf->q_subs->elts))[imconf->q_subs->nelts-1]->query = imconf->_query" ### Do you know what I'm doing wrong here? From what I've read in the manual, the enterprise edition should be able to read evtx files. best regards, micsnare

micsnare created 6 years ago

Replies: 2

View post »
last updated 6 years ago

nxlog evtx windows eventlog

Note that these two lines define constants only; the log file location

is ultimately set by the LogFile directive (see below). The

MYLOGFILE define is also used to rotate the log file automatically

(see the _fileop block).

By default, LogFile %MYLOGFILE% is set in log4ensics.conf. This

allows the log file location to be modified via NXLog Manager. If you

are not using NXLog Manager, you can instead set LogFile below and

disable the include line.

is ultimately set by the `LogFile` directive (see below). The

`MYLOGFILE` define is also used to rotate the log file automatically

(see the `_fileop` block).

By default, `LogFile %MYLOGFILE%` is set in log4ensics.conf. This

are not using NXLog Manager, you can instead set `LogFile` below and

disable the `include` line.