NXLog search
Let's talk Start free
Let's talk Start free

Windows Application and Security logs are not sending to RSA Netwitness

Tags:
#1 vigneshmoorthy

Hi Team,

We are using Nxlog to send logs to RSA(SIEM), but few of the security logs are not sending to RSA. Below are the event ids we are not receiving: Event ids starting with 4860- 4890. Below is the configuration which we are using in RSA.

Can you please check below configuration and let me know if anything needs to be changed to receive the windows security and application logs.

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nslog.log

<Extension syslog> Module xm_syslog </Extension>

<Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'></Select> <Select Path='Security'></Select> </Query> </QueryList> </QueryXML> </Input>

<Output out> Module om_tcp Host hostname(hided) Port 514 Exec to_syslog_snare();$raw_event = replace($raw_event, "\t", ','); </Output>

<Route 1> Path in => out </Route>

Permalink
#2 ArkadiyDeactivated Nxlog ✓
#1 vigneshmoorthy
Hi Team, We are using Nxlog to send logs to RSA(SIEM), but few of the security logs are not sending to RSA. Below are the event ids we are not receiving: Event ids starting with 4860- 4890. Below is the configuration which we are using in RSA. Can you please check below configuration and let me know if anything needs to be changed to receive the windows security and application logs. define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nslog.log <Extension syslog> Module xm_syslog </Extension> <Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'></Select> <Select Path='Security'></Select> </Query> </QueryList> </QueryXML> </Input> <Output out> Module om_tcp Host hostname(hided) Port 514 Exec to_syslog_snare();$raw_event = replace($raw_event, "\t", ','); </Output> <Route 1> Path in => out </Route>

Hello Vignesh,

Could you please share with us some things:

  • nxlog version you are using;
  • OS under which you are running;
  • and is there any way for you to be sure that those events are happening but they aren't forwarding? Maybe you have an example you might to share with us?

Best regards, Arch
Login to see more