Using NXLog to Netwitness

Tags:

#1 jwilliams1010

Hi,

The decoders used in Netwitness. The job of a decoder is to select a parser to parse log files.

The Netwitness LogDeconder shows Service Type as unknown but I was expecting to see winevent_snare.

My NXLog config uses the Exec $Message =~ s/(\t|\R)/ /g; to_syslog_snare(); to send windows log data to the NETWITNESS collector/decoder.

The problem is the decoder is using unknown or rxlinux as service type not winevent_snare to parse my windows log files. I was looking for the decoder to use winevent_snare but it is not.

Does anyone have a working NXLog config file to collect windows event logs to Netwitness?

Thanks for you assistance, Jim

#2 rafDeactivated Nxlog ✓
#1 jwilliams1010
Hi, The decoders used in Netwitness. The job of a decoder is to select a parser to parse log files. The Netwitness LogDeconder shows Service Type as unknown but I was expecting to see winevent_snare. My NXLog config uses the Exec $Message =~ s/(\t|\R)/ /g; to_syslog_snare(); to send windows log data to the NETWITNESS collector/decoder. The problem is the decoder is using unknown or rxlinux as service type not winevent_snare to parse my windows log files. I was looking for the decoder to use winevent_snare but it is not. Does anyone have a working NXLog config file to collect windows event logs to Netwitness? Thanks for you assistance, Jim

Hey,

I'm not sure which formats can be used in Netwitness, could you share what options you have?

Best regards,
Raf