Help with Windows Event Log and Queries.

Tags:

#1 edv
Windows Server 2019 NXLog: nxlog-ce 2.11.2190 Running the Community version to test /trial a SEIM platform (Enterprise will be acquired if the current PoC is selected). From [132.4.2. Example monitoring configurations](https://nxlog.co/documentation/nxlog-user-guide/eventlog-eventids.html) I copied the code block in Example 644 into my nxlog.conf. After a bit of frustration, I pulled the current Server 2019 EventLog item list via `PS> Get-WinEvent -ListLog` and found that there were a few updates /changes. I made those changes and yet when I run nxlog, no logs are sent. Turning on DEBUG for LogLevel, I see: ``` ERROR [im_msvistalog.c:1320/im_msvistalog_start()] -; [im_msvistalog.c:1285/im_msvistalog_start()] failed to subscribe to msvistalog events,the Query is invalid: The operation completed successfully.; [error code: 15001] ``` After a bit of web searching for this error (completely fruitless) and reviewing the code block again, I can't see anywhere that a non-existent EventLog is being Selected, nor any common "typo" errors. Can anyone help me to figure out what "error code 15001" means and /or spot where I goofed in my nxlog.conf file? ``` define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog-events.log LogLevel DEBUG #Load Extensions Module xm_syslog Module xm_exec Module xm_json Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 # define Account Usage Events define AccountUsage 300, 1511, 1518, 4624, 4625, 4634, 4648, 4672, \ 4704, 4720, 4722, 4725, 4726, 4728, 4731, 4732, \ 4733, 4735, 4740, 4756, 4765, 4766, 4767, 4776, \ 4781, 4782, 4793, 5376, 5377 # define Application Crash Events define AppCrashes 1000, 1001, 1002 # define Application Whitelisting Events define AppWhitelisting 865, 866, 867, 868, 882, 4688, 4689, 8002, \ 8003, 8004, 8005, 8006, 8007, 8020, 8023 # define Boot Events define BootEvents 12, 13 # define Certificate Services Events define CertServices 95, 1001, 1002, 1003, 1004, 1006, 1007, 4870, \ 4873, 4874, 4885, 4886, 4887, 4890, 4896, 4899 # define Clearing Event Logs Events define ClearingLogs 104, 1100, 1102 # define DNS and Directory Services Events define DNSDirectoryServ 3008, 3020, 5136, 5137, 5138, 5139, 5141 # define External Media Detection events define ExtMedia 400, 410 # define Group Policy Error Events define GroupPolicyError 112, 1001, 1125, 1126, 1127, 1129 # define Software Service Installation Events define Installation 2, 6, 19, 800, 903, 904, 905, 906, 907, 908, \ 1022, 1033, 7000, 7045 # define Kernel Driver Signing Events define KernelDriver 219, 3001, 3002, 3003, 3004, 3010, 3023, 5038, \ 6281 # define Microsoft Cryptography API Events define MSFTCryptoAPI 11, 70, 90 # define Mobile Device Activities define MobileDeviceEvents 10000, 10001 # define Network Host Activities define NetworkHost 1024, 4706, 4713, 4714, 4716, 4719, 4769, 4778, \ 4779, 4897, 5140, 5142, 5144, 5145, 5632, 6272, \ 6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280 # define PowerShell Activities define PowerShell 169, 800, 4103, 4104, 4105, 4106 # define Printing Services Events define PrintingServices 307 # define System Integrity Events define SystemIntegrity 1, 2, 5, 8, 9, 4616, 4657 # define System or Service Failure Events define SystemServiceFail 7022, 7023, 7024, 7026, 7031, 7032, 7034 # define Windows Defender Activities define WinDefender 1005, 1006, 1007, 1008, 1009, 1010, 1116, 1117, \ 1118, 1119, 2001, 2003, 2004, 3002, 5008 # define Windows Firewall Events define WinFirewall 2005, 2006, 2009, 2033 # define Windows Update Error Events define WinUpdateError 20, 25, 31, 34, 35 Module im_msvistalog * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * if ($EventID NOT IN (%AccountUsage%)) and ($EventID NOT IN (%AppCrashes%)) and ($EventID NOT IN (%AppWhitelisting%)) and ($EventID NOT IN (%BootEvents%)) and ($EventID NOT IN (%CertServices%)) and ($EventID NOT IN (%ClearingLogs%)) and ($EventID NOT IN (%DNSDirectoryServ%)) and ($EventID NOT IN (%ExtMedia%)) and ($EventID NOT IN (%GroupPolicyError%)) and ($EventID NOT IN (%Installation%)) and ($EventID NOT IN (%KernelDriver%)) and ($EventID NOT IN (%MSFTCryptoAPI%)) and ($EventID NOT IN (%MobileDeviceEvents%)) and ($EventID NOT IN (%NetworkHost%)) and ($EventID NOT IN (%PowerShell%)) and ($EventID NOT IN (%PrintingServices%)) and ($EventID NOT IN (%SystemIntegrity%)) and ($EventID NOT IN (%SystemServiceFail%)) and ($EventID NOT IN (%WinDefender%)) and ($EventID NOT IN (%WinFirewall%)) and ($EventID NOT IN (%WinUpdateError%)) drop(); Module pm_buffer MaxSize 102400 Type disk Module om_tcp Host 0.0.0.0 Port 514 Exec to_json(); $Message = $raw_event; to_syslog_ietf(); Path Events => buffer => out ```
#2 rafDeactivated Nxlog ✓
#1 edv
Windows Server 2019 NXLog: nxlog-ce 2.11.2190 Running the Community version to test /trial a SEIM platform (Enterprise will be acquired if the current PoC is selected). From 132.4.2. Example monitoring configurations I copied the code block in Example 644 into my nxlog.conf. After a bit of frustration, I pulled the current Server 2019 EventLog item list via PS> Get-WinEvent -ListLog and found that there were a few updates /changes. I made those changes and yet when I run nxlog, no logs are sent. Turning on DEBUG for LogLevel, I see: ERROR [im_msvistalog.c:1320/im_msvistalog_start()] -; [im_msvistalog.c:1285/im_msvistalog_start()] failed to subscribe to msvistalog events,the Query is invalid: The operation completed successfully.; [error code: 15001] After a bit of web searching for this error (completely fruitless) and reviewing the code block again, I can't see anywhere that a non-existent EventLog is being Selected, nor any common "typo" errors. Can anyone help me to figure out what "error code 15001" means and /or spot where I goofed in my nxlog.conf file? define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog-events.log LogLevel DEBUG #Load Extensions <Extension _syslog> Module xm_syslog </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _json> Module xm_json </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> # define Account Usage Events define AccountUsage 300, 1511, 1518, 4624, 4625, 4634, 4648, 4672, \ 4704, 4720, 4722, 4725, 4726, 4728, 4731, 4732, \ 4733, 4735, 4740, 4756, 4765, 4766, 4767, 4776, \ 4781, 4782, 4793, 5376, 5377 # define Application Crash Events define AppCrashes 1000, 1001, 1002 # define Application Whitelisting Events define AppWhitelisting 865, 866, 867, 868, 882, 4688, 4689, 8002, \ 8003, 8004, 8005, 8006, 8007, 8020, 8023 # define Boot Events define BootEvents 12, 13 # define Certificate Services Events define CertServices 95, 1001, 1002, 1003, 1004, 1006, 1007, 4870, \ 4873, 4874, 4885, 4886, 4887, 4890, 4896, 4899 # define Clearing Event Logs Events define ClearingLogs 104, 1100, 1102 # define DNS and Directory Services Events define DNSDirectoryServ 3008, 3020, 5136, 5137, 5138, 5139, 5141 # define External Media Detection events define ExtMedia 400, 410 # define Group Policy Error Events define GroupPolicyError 112, 1001, 1125, 1126, 1127, 1129 # define Software Service Installation Events define Installation 2, 6, 19, 800, 903, 904, 905, 906, 907, 908, \ 1022, 1033, 7000, 7045 # define Kernel Driver Signing Events define KernelDriver 219, 3001, 3002, 3003, 3004, 3010, 3023, 5038, \ 6281 # define Microsoft Cryptography API Events define MSFTCryptoAPI 11, 70, 90 # define Mobile Device Activities define MobileDeviceEvents 10000, 10001 # define Network Host Activities define NetworkHost 1024, 4706, 4713, 4714, 4716, 4719, 4769, 4778, \ 4779, 4897, 5140, 5142, 5144, 5145, 5632, 6272, \ 6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280 # define PowerShell Activities define PowerShell 169, 800, 4103, 4104, 4105, 4106 # define Printing Services Events define PrintingServices 307 # define System Integrity Events define SystemIntegrity 1, 2, 5, 8, 9, 4616, 4657 # define System or Service Failure Events define SystemServiceFail 7022, 7023, 7024, 7026, 7031, 7032, 7034 # define Windows Defender Activities define WinDefender 1005, 1006, 1007, 1008, 1009, 1010, 1116, 1117, \ 1118, 1119, 2001, 2003, 2004, 3002, 5008 # define Windows Firewall Events define WinFirewall 2005, 2006, 2009, 2033 # define Windows Update Error Events define WinUpdateError 20, 25, 31, 34, 35 <Input Events> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Application">*</Select> <Select Path="Security">*</Select> <Select Path="System">*</Select> <Select Path="Windows PowerShell">*</Select> <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*</Select> <Select Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select> <Select Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">*</Select> <Select Path="Microsoft-Windows-AppLocker/Packaged app-Execution">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Program-Inventory">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Program-Telemetry">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Steps-Recorder">*</Select> <Select PATH="Microsoft-Windows-Backup">*</Select> <Select Path="Microsoft-Windows-CAPI2/Operational">*</Select> <Select Path="Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational">*</Select> <Select Path="Microsoft-Windows-CodeIntegrity/Operational">*</Select> <Select Path="Microsoft-Windows-DNS-Client/Operational">*</Select> <Select Path="Microsoft-Windows-GroupPolicy/Operational">*</Select> <Select PATH="Microsoft-Windows-Kernel-IO/Operational">*</Select> <Select Path="Microsoft-Windows-Kernel-PnP/Configuration">*</Select> <Select Path="Microsoft-Windows-LSA/Operational">*</Select> <Select Path="Microsoft-Windows-NTLM/Operational">*</Select> <Select Path="Microsoft-Windows-NetworkProfile/Operational">*</Select> <Select Path="Microsoft-Windows-PowerShell/Admin">*</Select> <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select> <Select Path="Microsoft-Windows-PrintService/Admin">*</Select> <Select Path="Microsoft-Windows-PrintService/Operational">*</Select> <Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select> <Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational">*</Select> <Select Path="Microsoft-Windows-Time-Service/Operational">*</Select> <Select Path="Microsoft-Windows-User Profile Service/Operational">*</Select> <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select> <Select Path="Microsoft-Windows-Windows Defender/WHC">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose">*</Select> <Select Path="Microsoft-Windows-WindowsUpdateClient/Operational">*</Select> <Select Path="OpenSSH/Operational">*</Select> <Select Path="PowerShellCore/Operational">*</Select> </Query> </QueryList> </QueryXML> <Exec> if ($EventID NOT IN (%AccountUsage%)) and ($EventID NOT IN (%AppCrashes%)) and ($EventID NOT IN (%AppWhitelisting%)) and ($EventID NOT IN (%BootEvents%)) and ($EventID NOT IN (%CertServices%)) and ($EventID NOT IN (%ClearingLogs%)) and ($EventID NOT IN (%DNSDirectoryServ%)) and ($EventID NOT IN (%ExtMedia%)) and ($EventID NOT IN (%GroupPolicyError%)) and ($EventID NOT IN (%Installation%)) and ($EventID NOT IN (%KernelDriver%)) and ($EventID NOT IN (%MSFTCryptoAPI%)) and ($EventID NOT IN (%MobileDeviceEvents%)) and ($EventID NOT IN (%NetworkHost%)) and ($EventID NOT IN (%PowerShell%)) and ($EventID NOT IN (%PrintingServices%)) and ($EventID NOT IN (%SystemIntegrity%)) and ($EventID NOT IN (%SystemServiceFail%)) and ($EventID NOT IN (%WinDefender%)) and ($EventID NOT IN (%WinFirewall%)) and ($EventID NOT IN (%WinUpdateError%)) drop(); </Exec> </Input> <Processor buffer> Module pm_buffer MaxSize 102400 Type disk </Processor> <Output out> Module om_tcp Host 0.0.0.0 Port 514 Exec to_json(); $Message = $raw_event; to_syslog_ietf(); </Output> <Route 1> Path Events => buffer => out </Route>

Hey,

Please note, that you're referring to NXLog Enterprise Edition documentation, while trying to run NXLog Community Edition. These two versions vary, and the configuration is not always 100% compatible, since CE is, basically, based on much older codebase.

If you're trying to build a PoC, I'd rather recommend requesting a free trial.. This can get you some help from presales engineers, and if you like the results of PoC - migration will be much smoother, since you'll avoid potential configuration issues. Noteworthy, NXLog EE is also much more powerful than the CE version.

Best regards,
Raf