Let's Talk
Let's Talk

Help with Windows Event Log and Queries.

Tags:
#1 edv

Windows Server 2019
NXLog: nxlog-ce 2.11.2190

Running the Community version to test /trial a SEIM platform (Enterprise will be acquired if the current PoC is selected).

From 132.4.2. Example monitoring configurations

I copied the code block in Example 644 into my nxlog.conf.

After a bit of frustration, I pulled the current Server 2019 EventLog item list via PS> Get-WinEvent -ListLog and found that there were a few updates /changes.

I made those changes and yet when I run nxlog, no logs are sent. Turning on DEBUG for LogLevel, I see:

ERROR [im_msvistalog.c:1320/im_msvistalog_start()] -; [im_msvistalog.c:1285/im_msvistalog_start()] failed to subscribe to msvistalog events,the Query is invalid: The operation completed successfully.;  [error code: 15001]

After a bit of web searching for this error (completely fruitless) and reviewing the code block again, I can't see anywhere that a non-existent EventLog is being Selected, nor any common "typo" errors.

Can anyone help me to figure out what "error code 15001" means and /or spot where I goofed in my nxlog.conf file?

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog-events.log
LogLevel DEBUG

#Load Extensions
<Extension _syslog>
    Module  xm_syslog
</Extension>

<Extension _exec>
    Module xm_exec
</Extension>

<Extension _json>
    Module  xm_json
</Extension>

<Extension _charconv>
    Module      xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

# define Account Usage Events
define AccountUsage             300, 1511, 1518, 4624, 4625, 4634, 4648, 4672, \
                                4704, 4720, 4722, 4725, 4726, 4728, 4731, 4732, \
                                4733, 4735, 4740, 4756, 4765, 4766, 4767, 4776, \
                                4781, 4782, 4793, 5376, 5377

# define Application Crash Events
define AppCrashes               1000, 1001, 1002

# define Application Whitelisting Events
define AppWhitelisting          865, 866, 867, 868, 882, 4688, 4689, 8002, \
                                8003, 8004, 8005, 8006, 8007, 8020, 8023

# define Boot Events
define BootEvents               12, 13

# define Certificate Services Events
define CertServices             95, 1001, 1002, 1003, 1004, 1006, 1007, 4870, \
                                4873, 4874, 4885, 4886, 4887, 4890, 4896, 4899

# define Clearing Event Logs Events
define ClearingLogs             104, 1100, 1102

# define DNS and Directory Services Events
define DNSDirectoryServ         3008, 3020, 5136, 5137, 5138, 5139, 5141

# define External Media Detection events
define ExtMedia                 400, 410

# define Group Policy Error Events
define GroupPolicyError         112, 1001, 1125, 1126, 1127, 1129

# define Software Service Installation Events
define Installation             2, 6, 19, 800, 903, 904, 905, 906, 907, 908, \
                                1022, 1033, 7000, 7045


# define Kernel Driver Signing Events
define KernelDriver             219, 3001, 3002, 3003, 3004, 3010, 3023, 5038, \
                                6281

# define Microsoft Cryptography API Events
define MSFTCryptoAPI            11, 70, 90

# define Mobile Device Activities
define MobileDeviceEvents       10000, 10001

# define Network Host Activities
define NetworkHost              1024, 4706, 4713, 4714, 4716, 4719, 4769, 4778, \
                                4779, 4897, 5140, 5142, 5144, 5145, 5632, 6272, \
                                6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280

# define PowerShell Activities
define PowerShell               169, 800, 4103, 4104, 4105, 4106

# define Printing Services Events
define PrintingServices         307

# define System Integrity Events
define SystemIntegrity          1, 2, 5, 8, 9, 4616, 4657

# define System or Service Failure Events
define SystemServiceFail        7022, 7023, 7024, 7026, 7031, 7032, 7034

# define Windows Defender Activities
define WinDefender              1005, 1006, 1007, 1008, 1009, 1010, 1116, 1117, \
                                1118, 1119, 2001, 2003, 2004, 3002, 5008

# define Windows Firewall Events
define WinFirewall              2005, 2006, 2009, 2033

# define Windows Update Error Events
define WinUpdateError           20, 25, 31, 34, 35

<Input Events>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Application">*</Select>
                <Select Path="Security">*</Select>
                <Select Path="System">*</Select>
                <Select Path="Windows PowerShell">*</Select>
                <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*</Select>
                <Select Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select>
                <Select Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">*</Select>
                <Select Path="Microsoft-Windows-AppLocker/Packaged app-Execution">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Program-Inventory">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Program-Telemetry">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Steps-Recorder">*</Select>
                <Select PATH="Microsoft-Windows-Backup">*</Select>
                <Select Path="Microsoft-Windows-CAPI2/Operational">*</Select>
                <Select Path="Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational">*</Select>
                <Select Path="Microsoft-Windows-CodeIntegrity/Operational">*</Select>
                <Select Path="Microsoft-Windows-DNS-Client/Operational">*</Select>
                <Select Path="Microsoft-Windows-GroupPolicy/Operational">*</Select>
                <Select PATH="Microsoft-Windows-Kernel-IO/Operational">*</Select>
                <Select Path="Microsoft-Windows-Kernel-PnP/Configuration">*</Select>
                <Select Path="Microsoft-Windows-LSA/Operational">*</Select>
                <Select Path="Microsoft-Windows-NTLM/Operational">*</Select>
                <Select Path="Microsoft-Windows-NetworkProfile/Operational">*</Select>
                <Select Path="Microsoft-Windows-PowerShell/Admin">*</Select>
                <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>
                <Select Path="Microsoft-Windows-PrintService/Admin">*</Select>
                <Select Path="Microsoft-Windows-PrintService/Operational">*</Select>
                <Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select>
                <Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational">*</Select>
                <Select Path="Microsoft-Windows-Time-Service/Operational">*</Select>
                <Select Path="Microsoft-Windows-User Profile Service/Operational">*</Select>
                <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>
                <Select Path="Microsoft-Windows-Windows Defender/WHC">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose">*</Select>
                <Select Path="Microsoft-Windows-WindowsUpdateClient/Operational">*</Select>
                <Select Path="OpenSSH/Operational">*</Select>
                <Select Path="PowerShellCore/Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    <Exec>
      if    ($EventID NOT IN (%AccountUsage%)) and
            ($EventID NOT IN (%AppCrashes%)) and
            ($EventID NOT IN (%AppWhitelisting%)) and
            ($EventID NOT IN (%BootEvents%)) and
            ($EventID NOT IN (%CertServices%)) and
            ($EventID NOT IN (%ClearingLogs%)) and
            ($EventID NOT IN (%DNSDirectoryServ%)) and
            ($EventID NOT IN (%ExtMedia%)) and
            ($EventID NOT IN (%GroupPolicyError%)) and
            ($EventID NOT IN (%Installation%)) and
            ($EventID NOT IN (%KernelDriver%)) and
            ($EventID NOT IN (%MSFTCryptoAPI%)) and
            ($EventID NOT IN (%MobileDeviceEvents%)) and
            ($EventID NOT IN (%NetworkHost%)) and
            ($EventID NOT IN (%PowerShell%)) and
            ($EventID NOT IN (%PrintingServices%)) and
            ($EventID NOT IN (%SystemIntegrity%)) and
            ($EventID NOT IN (%SystemServiceFail%)) and
            ($EventID NOT IN (%WinDefender%)) and
            ($EventID NOT IN (%WinFirewall%)) and
            ($EventID NOT IN (%WinUpdateError%)) drop();

    </Exec>
</Input>

<Processor buffer>
    Module pm_buffer
    MaxSize 102400
    Type disk
</Processor>

<Output out>
    Module  om_tcp
    Host    0.0.0.0
    Port    514
    Exec    to_json(); $Message = $raw_event; to_syslog_ietf();
</Output>

<Route 1>
    Path Events => buffer => out
</Route>
Permalink
#2 rafDeactivated Nxlog ✓
#1 edv
Windows Server 2019 NXLog: nxlog-ce 2.11.2190 Running the Community version to test /trial a SEIM platform (Enterprise will be acquired if the current PoC is selected). From 132.4.2. Example monitoring configurations I copied the code block in Example 644 into my nxlog.conf. After a bit of frustration, I pulled the current Server 2019 EventLog item list via PS> Get-WinEvent -ListLog and found that there were a few updates /changes. I made those changes and yet when I run nxlog, no logs are sent. Turning on DEBUG for LogLevel, I see: ERROR [im_msvistalog.c:1320/im_msvistalog_start()] -; [im_msvistalog.c:1285/im_msvistalog_start()] failed to subscribe to msvistalog events,the Query is invalid: The operation completed successfully.; [error code: 15001] After a bit of web searching for this error (completely fruitless) and reviewing the code block again, I can't see anywhere that a non-existent EventLog is being Selected, nor any common "typo" errors. Can anyone help me to figure out what "error code 15001" means and /or spot where I goofed in my nxlog.conf file? define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog-events.log LogLevel DEBUG #Load Extensions <Extension _syslog> Module xm_syslog </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _json> Module xm_json </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> # define Account Usage Events define AccountUsage 300, 1511, 1518, 4624, 4625, 4634, 4648, 4672, \ 4704, 4720, 4722, 4725, 4726, 4728, 4731, 4732, \ 4733, 4735, 4740, 4756, 4765, 4766, 4767, 4776, \ 4781, 4782, 4793, 5376, 5377 # define Application Crash Events define AppCrashes 1000, 1001, 1002 # define Application Whitelisting Events define AppWhitelisting 865, 866, 867, 868, 882, 4688, 4689, 8002, \ 8003, 8004, 8005, 8006, 8007, 8020, 8023 # define Boot Events define BootEvents 12, 13 # define Certificate Services Events define CertServices 95, 1001, 1002, 1003, 1004, 1006, 1007, 4870, \ 4873, 4874, 4885, 4886, 4887, 4890, 4896, 4899 # define Clearing Event Logs Events define ClearingLogs 104, 1100, 1102 # define DNS and Directory Services Events define DNSDirectoryServ 3008, 3020, 5136, 5137, 5138, 5139, 5141 # define External Media Detection events define ExtMedia 400, 410 # define Group Policy Error Events define GroupPolicyError 112, 1001, 1125, 1126, 1127, 1129 # define Software Service Installation Events define Installation 2, 6, 19, 800, 903, 904, 905, 906, 907, 908, \ 1022, 1033, 7000, 7045 # define Kernel Driver Signing Events define KernelDriver 219, 3001, 3002, 3003, 3004, 3010, 3023, 5038, \ 6281 # define Microsoft Cryptography API Events define MSFTCryptoAPI 11, 70, 90 # define Mobile Device Activities define MobileDeviceEvents 10000, 10001 # define Network Host Activities define NetworkHost 1024, 4706, 4713, 4714, 4716, 4719, 4769, 4778, \ 4779, 4897, 5140, 5142, 5144, 5145, 5632, 6272, \ 6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280 # define PowerShell Activities define PowerShell 169, 800, 4103, 4104, 4105, 4106 # define Printing Services Events define PrintingServices 307 # define System Integrity Events define SystemIntegrity 1, 2, 5, 8, 9, 4616, 4657 # define System or Service Failure Events define SystemServiceFail 7022, 7023, 7024, 7026, 7031, 7032, 7034 # define Windows Defender Activities define WinDefender 1005, 1006, 1007, 1008, 1009, 1010, 1116, 1117, \ 1118, 1119, 2001, 2003, 2004, 3002, 5008 # define Windows Firewall Events define WinFirewall 2005, 2006, 2009, 2033 # define Windows Update Error Events define WinUpdateError 20, 25, 31, 34, 35 <Input Events> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Application">*</Select> <Select Path="Security">*</Select> <Select Path="System">*</Select> <Select Path="Windows PowerShell">*</Select> <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*</Select> <Select Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select> <Select Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">*</Select> <Select Path="Microsoft-Windows-AppLocker/Packaged app-Execution">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Program-Inventory">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Program-Telemetry">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Steps-Recorder">*</Select> <Select PATH="Microsoft-Windows-Backup">*</Select> <Select Path="Microsoft-Windows-CAPI2/Operational">*</Select> <Select Path="Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational">*</Select> <Select Path="Microsoft-Windows-CodeIntegrity/Operational">*</Select> <Select Path="Microsoft-Windows-DNS-Client/Operational">*</Select> <Select Path="Microsoft-Windows-GroupPolicy/Operational">*</Select> <Select PATH="Microsoft-Windows-Kernel-IO/Operational">*</Select> <Select Path="Microsoft-Windows-Kernel-PnP/Configuration">*</Select> <Select Path="Microsoft-Windows-LSA/Operational">*</Select> <Select Path="Microsoft-Windows-NTLM/Operational">*</Select> <Select Path="Microsoft-Windows-NetworkProfile/Operational">*</Select> <Select Path="Microsoft-Windows-PowerShell/Admin">*</Select> <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select> <Select Path="Microsoft-Windows-PrintService/Admin">*</Select> <Select Path="Microsoft-Windows-PrintService/Operational">*</Select> <Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select> <Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational">*</Select> <Select Path="Microsoft-Windows-Time-Service/Operational">*</Select> <Select Path="Microsoft-Windows-User Profile Service/Operational">*</Select> <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select> <Select Path="Microsoft-Windows-Windows Defender/WHC">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose">*</Select> <Select Path="Microsoft-Windows-WindowsUpdateClient/Operational">*</Select> <Select Path="OpenSSH/Operational">*</Select> <Select Path="PowerShellCore/Operational">*</Select> </Query> </QueryList> </QueryXML> <Exec> if ($EventID NOT IN (%AccountUsage%)) and ($EventID NOT IN (%AppCrashes%)) and ($EventID NOT IN (%AppWhitelisting%)) and ($EventID NOT IN (%BootEvents%)) and ($EventID NOT IN (%CertServices%)) and ($EventID NOT IN (%ClearingLogs%)) and ($EventID NOT IN (%DNSDirectoryServ%)) and ($EventID NOT IN (%ExtMedia%)) and ($EventID NOT IN (%GroupPolicyError%)) and ($EventID NOT IN (%Installation%)) and ($EventID NOT IN (%KernelDriver%)) and ($EventID NOT IN (%MSFTCryptoAPI%)) and ($EventID NOT IN (%MobileDeviceEvents%)) and ($EventID NOT IN (%NetworkHost%)) and ($EventID NOT IN (%PowerShell%)) and ($EventID NOT IN (%PrintingServices%)) and ($EventID NOT IN (%SystemIntegrity%)) and ($EventID NOT IN (%SystemServiceFail%)) and ($EventID NOT IN (%WinDefender%)) and ($EventID NOT IN (%WinFirewall%)) and ($EventID NOT IN (%WinUpdateError%)) drop(); </Exec> </Input> <Processor buffer> Module pm_buffer MaxSize 102400 Type disk </Processor> <Output out> Module om_tcp Host 0.0.0.0 Port 514 Exec to_json(); $Message = $raw_event; to_syslog_ietf(); </Output> <Route 1> Path Events => buffer => out </Route>

Hey,

Please note, that you're referring to NXLog Enterprise Edition documentation, while trying to run NXLog Community Edition. These two versions vary, and the configuration is not always 100% compatible, since CE is, basically, based on much older codebase.

If you're trying to build a PoC, I'd rather recommend requesting a free trial.. This can get you some help from presales engineers, and if you like the results of PoC - migration will be much smoother, since you'll avoid potential configuration issues. Noteworthy, NXLog EE is also much more powerful than the CE version.

Best regards,
Raf
Login to see more