Help with Windows Event Log and Queries.
Tags:
#1
edv
Windows Server 2019
NXLog: nxlog-ce 2.11.2190
Running the Community version to test /trial a SEIM platform (Enterprise will be acquired if the current PoC is selected).
From [132.4.2. Example monitoring configurations](https://nxlog.co/documentation/nxlog-user-guide/eventlog-eventids.html)
I copied the code block in Example 644 into my nxlog.conf.
After a bit of frustration, I pulled the current Server 2019 EventLog item list via `PS> Get-WinEvent -ListLog` and found that there were a few updates /changes.
I made those changes and yet when I run nxlog, no logs are sent. Turning on DEBUG for LogLevel, I see:
```
ERROR [im_msvistalog.c:1320/im_msvistalog_start()] -; [im_msvistalog.c:1285/im_msvistalog_start()] failed to subscribe to msvistalog events,the Query is invalid: The operation completed successfully.; [error code: 15001]
```
After a bit of web searching for this error (completely fruitless) and reviewing the code block again, I can't see anywhere that a non-existent EventLog is being Selected, nor any common "typo" errors.
Can anyone help me to figure out what "error code 15001" means and /or spot where I goofed in my nxlog.conf file?
```
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog-events.log
LogLevel DEBUG
#Load Extensions
Module xm_syslog
Module xm_exec
Module xm_json
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
# define Account Usage Events
define AccountUsage 300, 1511, 1518, 4624, 4625, 4634, 4648, 4672, \
4704, 4720, 4722, 4725, 4726, 4728, 4731, 4732, \
4733, 4735, 4740, 4756, 4765, 4766, 4767, 4776, \
4781, 4782, 4793, 5376, 5377
# define Application Crash Events
define AppCrashes 1000, 1001, 1002
# define Application Whitelisting Events
define AppWhitelisting 865, 866, 867, 868, 882, 4688, 4689, 8002, \
8003, 8004, 8005, 8006, 8007, 8020, 8023
# define Boot Events
define BootEvents 12, 13
# define Certificate Services Events
define CertServices 95, 1001, 1002, 1003, 1004, 1006, 1007, 4870, \
4873, 4874, 4885, 4886, 4887, 4890, 4896, 4899
# define Clearing Event Logs Events
define ClearingLogs 104, 1100, 1102
# define DNS and Directory Services Events
define DNSDirectoryServ 3008, 3020, 5136, 5137, 5138, 5139, 5141
# define External Media Detection events
define ExtMedia 400, 410
# define Group Policy Error Events
define GroupPolicyError 112, 1001, 1125, 1126, 1127, 1129
# define Software Service Installation Events
define Installation 2, 6, 19, 800, 903, 904, 905, 906, 907, 908, \
1022, 1033, 7000, 7045
# define Kernel Driver Signing Events
define KernelDriver 219, 3001, 3002, 3003, 3004, 3010, 3023, 5038, \
6281
# define Microsoft Cryptography API Events
define MSFTCryptoAPI 11, 70, 90
# define Mobile Device Activities
define MobileDeviceEvents 10000, 10001
# define Network Host Activities
define NetworkHost 1024, 4706, 4713, 4714, 4716, 4719, 4769, 4778, \
4779, 4897, 5140, 5142, 5144, 5145, 5632, 6272, \
6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280
# define PowerShell Activities
define PowerShell 169, 800, 4103, 4104, 4105, 4106
# define Printing Services Events
define PrintingServices 307
# define System Integrity Events
define SystemIntegrity 1, 2, 5, 8, 9, 4616, 4657
# define System or Service Failure Events
define SystemServiceFail 7022, 7023, 7024, 7026, 7031, 7032, 7034
# define Windows Defender Activities
define WinDefender 1005, 1006, 1007, 1008, 1009, 1010, 1116, 1117, \
1118, 1119, 2001, 2003, 2004, 3002, 5008
# define Windows Firewall Events
define WinFirewall 2005, 2006, 2009, 2033
# define Windows Update Error Events
define WinUpdateError 20, 25, 31, 34, 35
Module im_msvistalog
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
if ($EventID NOT IN (%AccountUsage%)) and
($EventID NOT IN (%AppCrashes%)) and
($EventID NOT IN (%AppWhitelisting%)) and
($EventID NOT IN (%BootEvents%)) and
($EventID NOT IN (%CertServices%)) and
($EventID NOT IN (%ClearingLogs%)) and
($EventID NOT IN (%DNSDirectoryServ%)) and
($EventID NOT IN (%ExtMedia%)) and
($EventID NOT IN (%GroupPolicyError%)) and
($EventID NOT IN (%Installation%)) and
($EventID NOT IN (%KernelDriver%)) and
($EventID NOT IN (%MSFTCryptoAPI%)) and
($EventID NOT IN (%MobileDeviceEvents%)) and
($EventID NOT IN (%NetworkHost%)) and
($EventID NOT IN (%PowerShell%)) and
($EventID NOT IN (%PrintingServices%)) and
($EventID NOT IN (%SystemIntegrity%)) and
($EventID NOT IN (%SystemServiceFail%)) and
($EventID NOT IN (%WinDefender%)) and
($EventID NOT IN (%WinFirewall%)) and
($EventID NOT IN (%WinUpdateError%)) drop();
Module pm_buffer
MaxSize 102400
Type disk
Module om_tcp
Host 0.0.0.0
Port 514
Exec to_json(); $Message = $raw_event; to_syslog_ietf();
Path Events => buffer => out
```
#1
edv
Windows Server 2019
NXLog: nxlog-ce 2.11.2190
Running the Community version to test /trial a SEIM platform (Enterprise will be acquired if the current PoC is selected).
From 132.4.2. Example monitoring configurations
I copied the code block in Example 644 into my nxlog.conf.
After a bit of frustration, I pulled the current Server 2019 EventLog item list via PS> Get-WinEvent -ListLog and found that there were a few updates /changes.
I made those changes and yet when I run nxlog, no logs are sent. Turning on DEBUG for LogLevel, I see:
ERROR [im_msvistalog.c:1320/im_msvistalog_start()] -; [im_msvistalog.c:1285/im_msvistalog_start()] failed to subscribe to msvistalog events,the Query is invalid: The operation completed successfully.; [error code: 15001]
After a bit of web searching for this error (completely fruitless) and reviewing the code block again, I can't see anywhere that a non-existent EventLog is being Selected, nor any common "typo" errors.
Can anyone help me to figure out what "error code 15001" means and /or spot where I goofed in my nxlog.conf file?
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog-events.log
LogLevel DEBUG
#Load Extensions
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
# define Account Usage Events
define AccountUsage 300, 1511, 1518, 4624, 4625, 4634, 4648, 4672, \
4704, 4720, 4722, 4725, 4726, 4728, 4731, 4732, \
4733, 4735, 4740, 4756, 4765, 4766, 4767, 4776, \
4781, 4782, 4793, 5376, 5377
# define Application Crash Events
define AppCrashes 1000, 1001, 1002
# define Application Whitelisting Events
define AppWhitelisting 865, 866, 867, 868, 882, 4688, 4689, 8002, \
8003, 8004, 8005, 8006, 8007, 8020, 8023
# define Boot Events
define BootEvents 12, 13
# define Certificate Services Events
define CertServices 95, 1001, 1002, 1003, 1004, 1006, 1007, 4870, \
4873, 4874, 4885, 4886, 4887, 4890, 4896, 4899
# define Clearing Event Logs Events
define ClearingLogs 104, 1100, 1102
# define DNS and Directory Services Events
define DNSDirectoryServ 3008, 3020, 5136, 5137, 5138, 5139, 5141
# define External Media Detection events
define ExtMedia 400, 410
# define Group Policy Error Events
define GroupPolicyError 112, 1001, 1125, 1126, 1127, 1129
# define Software Service Installation Events
define Installation 2, 6, 19, 800, 903, 904, 905, 906, 907, 908, \
1022, 1033, 7000, 7045
# define Kernel Driver Signing Events
define KernelDriver 219, 3001, 3002, 3003, 3004, 3010, 3023, 5038, \
6281
# define Microsoft Cryptography API Events
define MSFTCryptoAPI 11, 70, 90
# define Mobile Device Activities
define MobileDeviceEvents 10000, 10001
# define Network Host Activities
define NetworkHost 1024, 4706, 4713, 4714, 4716, 4719, 4769, 4778, \
4779, 4897, 5140, 5142, 5144, 5145, 5632, 6272, \
6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280
# define PowerShell Activities
define PowerShell 169, 800, 4103, 4104, 4105, 4106
# define Printing Services Events
define PrintingServices 307
# define System Integrity Events
define SystemIntegrity 1, 2, 5, 8, 9, 4616, 4657
# define System or Service Failure Events
define SystemServiceFail 7022, 7023, 7024, 7026, 7031, 7032, 7034
# define Windows Defender Activities
define WinDefender 1005, 1006, 1007, 1008, 1009, 1010, 1116, 1117, \
1118, 1119, 2001, 2003, 2004, 3002, 5008
# define Windows Firewall Events
define WinFirewall 2005, 2006, 2009, 2033
# define Windows Update Error Events
define WinUpdateError 20, 25, 31, 34, 35
<Input Events>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Application">*</Select>
<Select Path="Security">*</Select>
<Select Path="System">*</Select>
<Select Path="Windows PowerShell">*</Select>
<Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*</Select>
<Select Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select>
<Select Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">*</Select>
<Select Path="Microsoft-Windows-AppLocker/Packaged app-Execution">*</Select>
<Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant">*</Select>
<Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter">*</Select>
<Select Path="Microsoft-Windows-Application-Experience/Program-Inventory">*</Select>
<Select Path="Microsoft-Windows-Application-Experience/Program-Telemetry">*</Select>
<Select Path="Microsoft-Windows-Application-Experience/Steps-Recorder">*</Select>
<Select PATH="Microsoft-Windows-Backup">*</Select>
<Select Path="Microsoft-Windows-CAPI2/Operational">*</Select>
<Select Path="Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational">*</Select>
<Select Path="Microsoft-Windows-CodeIntegrity/Operational">*</Select>
<Select Path="Microsoft-Windows-DNS-Client/Operational">*</Select>
<Select Path="Microsoft-Windows-GroupPolicy/Operational">*</Select>
<Select PATH="Microsoft-Windows-Kernel-IO/Operational">*</Select>
<Select Path="Microsoft-Windows-Kernel-PnP/Configuration">*</Select>
<Select Path="Microsoft-Windows-LSA/Operational">*</Select>
<Select Path="Microsoft-Windows-NTLM/Operational">*</Select>
<Select Path="Microsoft-Windows-NetworkProfile/Operational">*</Select>
<Select Path="Microsoft-Windows-PowerShell/Admin">*</Select>
<Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>
<Select Path="Microsoft-Windows-PrintService/Admin">*</Select>
<Select Path="Microsoft-Windows-PrintService/Operational">*</Select>
<Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select>
<Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational">*</Select>
<Select Path="Microsoft-Windows-Time-Service/Operational">*</Select>
<Select Path="Microsoft-Windows-User Profile Service/Operational">*</Select>
<Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>
<Select Path="Microsoft-Windows-Windows Defender/WHC">*</Select>
<Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity">*</Select>
<Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose">*</Select>
<Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">*</Select>
<Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics">*</Select>
<Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose">*</Select>
<Select Path="Microsoft-Windows-WindowsUpdateClient/Operational">*</Select>
<Select Path="OpenSSH/Operational">*</Select>
<Select Path="PowerShellCore/Operational">*</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
if ($EventID NOT IN (%AccountUsage%)) and
($EventID NOT IN (%AppCrashes%)) and
($EventID NOT IN (%AppWhitelisting%)) and
($EventID NOT IN (%BootEvents%)) and
($EventID NOT IN (%CertServices%)) and
($EventID NOT IN (%ClearingLogs%)) and
($EventID NOT IN (%DNSDirectoryServ%)) and
($EventID NOT IN (%ExtMedia%)) and
($EventID NOT IN (%GroupPolicyError%)) and
($EventID NOT IN (%Installation%)) and
($EventID NOT IN (%KernelDriver%)) and
($EventID NOT IN (%MSFTCryptoAPI%)) and
($EventID NOT IN (%MobileDeviceEvents%)) and
($EventID NOT IN (%NetworkHost%)) and
($EventID NOT IN (%PowerShell%)) and
($EventID NOT IN (%PrintingServices%)) and
($EventID NOT IN (%SystemIntegrity%)) and
($EventID NOT IN (%SystemServiceFail%)) and
($EventID NOT IN (%WinDefender%)) and
($EventID NOT IN (%WinFirewall%)) and
($EventID NOT IN (%WinUpdateError%)) drop();
</Exec>
</Input>
<Processor buffer>
Module pm_buffer
MaxSize 102400
Type disk
</Processor>
<Output out>
Module om_tcp
Host 0.0.0.0
Port 514
Exec to_json(); $Message = $raw_event; to_syslog_ietf();
</Output>
<Route 1>
Path Events => buffer => out
</Route>
Hey,
Please note, that you're referring to NXLog Enterprise Edition documentation, while trying to run NXLog Community Edition. These two versions vary, and the configuration is not always 100% compatible, since CE is, basically, based on much older codebase.
If you're trying to build a PoC, I'd rather recommend requesting a free trial.. This can get you some help from presales engineers, and if you like the results of PoC - migration will be much smoother, since you'll avoid potential configuration issues. Noteworthy, NXLog EE is also much more powerful than the CE version.
Best regards,
Raf
