Sending Windows Defender event logs to syslog properly
Hi,
I've want to include nxlog to send all Windows logs to syslog plus Microsoft-Windows-Windows Defender/Operational, however as "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog" doesn't seem to include "Microsoft-Windows-Windows Defender" it doesn't read that config in at start and send those Windows Defender logs.
How can I get nxlog to send everything it does now, plus Microsoft-Windows-Windows Defender logs, without having to define everything? The only way I can see to do this is with two im_msvistalog defines, i.e.
define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log
<Extension syslog> Module xm_syslog </Extension>
<Input eventlog> Module im_msvistalog </Input>
<Input eventlog_defender> Module im_msvistalog
Query <QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>
</Query>
</QueryList>
</Input>
<Processor eventlog_transformer> Module pm_transformer Exec $Hostname = hostname(); OutputFormat syslog_rfc3164 </Processor>
<Output syslogout> Module om_ssl [removed, but its to Papertrail] </Output>
<Route 1> Path eventlog => eventlog_transformer => syslogout </Route>
<Route 2> Path eventlog_defender => eventlog_transformer => syslogout </Route>
That seems to work except there are three problems compared to when I only have the Microsoft-Windows-Windows Defender going and the other blocks deleted:
- The Windows Defender logging is a little inconsistent, testing with an EICAR test virus doesn't always appear, probably 50% chance it appears in the syslog (all events appear in Windows log)
- The severity and source is copied from the previous log line (usually info rather than warn severity, and not Microsoft-Windows-Windows Defender), maybe a threading issue?
- Each rows of text is in its own line rather than all in a single message which happens when its the only logging to send
Is there a better way to do 'everything' plus Microsoft-Windows-Windows Defender?