Help with Windows Event Log and Queries.

View thread

edv

Windows Server 2019
NXLog: nxlog-ce 2.11.2190

Running the Community version to test /trial a SEIM platform (Enterprise will be acquired if the current PoC is selected).

From 132.4.2. Example monitoring configurations

I copied the code block in Example 644 into my nxlog.conf.

After a bit of frustration, I pulled the current Server 2019 EventLog item list via PS> Get-WinEvent -ListLog and found that there were a few updates /changes.

I made those changes and yet when I run nxlog, no logs are sent. Turning on DEBUG for LogLevel, I see:

ERROR [im_msvistalog.c:1320/im_msvistalog_start()] -; [im_msvistalog.c:1285/im_msvistalog_start()] failed to subscribe to msvistalog events,the Query is invalid: The operation completed successfully.;  [error code: 15001]

After a bit of web searching for this error (completely fruitless) and reviewing the code block again, I can't see anywhere that a non-existent EventLog is being Selected, nor any common "typo" errors.

Can anyone help me to figure out what "error code 15001" means and /or spot where I goofed in my nxlog.conf file?

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog-events.log
LogLevel DEBUG

#Load Extensions
<Extension _syslog>
    Module  xm_syslog
</Extension>

<Extension _exec>
    Module xm_exec
</Extension>

<Extension _json>
    Module  xm_json
</Extension>

<Extension _charconv>
    Module      xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

# define Account Usage Events
define AccountUsage             300, 1511, 1518, 4624, 4625, 4634, 4648, 4672, \
                                4704, 4720, 4722, 4725, 4726, 4728, 4731, 4732, \
                                4733, 4735, 4740, 4756, 4765, 4766, 4767, 4776, \
                                4781, 4782, 4793, 5376, 5377

# define Application Crash Events
define AppCrashes               1000, 1001, 1002

# define Application Whitelisting Events
define AppWhitelisting          865, 866, 867, 868, 882, 4688, 4689, 8002, \
                                8003, 8004, 8005, 8006, 8007, 8020, 8023

# define Boot Events
define BootEvents               12, 13

# define Certificate Services Events
define CertServices             95, 1001, 1002, 1003, 1004, 1006, 1007, 4870, \
                                4873, 4874, 4885, 4886, 4887, 4890, 4896, 4899

# define Clearing Event Logs Events
define ClearingLogs             104, 1100, 1102

# define DNS and Directory Services Events
define DNSDirectoryServ         3008, 3020, 5136, 5137, 5138, 5139, 5141

# define External Media Detection events
define ExtMedia                 400, 410

# define Group Policy Error Events
define GroupPolicyError         112, 1001, 1125, 1126, 1127, 1129

# define Software Service Installation Events
define Installation             2, 6, 19, 800, 903, 904, 905, 906, 907, 908, \
                                1022, 1033, 7000, 7045


# define Kernel Driver Signing Events
define KernelDriver             219, 3001, 3002, 3003, 3004, 3010, 3023, 5038, \
                                6281

# define Microsoft Cryptography API Events
define MSFTCryptoAPI            11, 70, 90

# define Mobile Device Activities
define MobileDeviceEvents       10000, 10001

# define Network Host Activities
define NetworkHost              1024, 4706, 4713, 4714, 4716, 4719, 4769, 4778, \
                                4779, 4897, 5140, 5142, 5144, 5145, 5632, 6272, \
                                6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280

# define PowerShell Activities
define PowerShell               169, 800, 4103, 4104, 4105, 4106

# define Printing Services Events
define PrintingServices         307

# define System Integrity Events
define SystemIntegrity          1, 2, 5, 8, 9, 4616, 4657

# define System or Service Failure Events
define SystemServiceFail        7022, 7023, 7024, 7026, 7031, 7032, 7034

# define Windows Defender Activities
define WinDefender              1005, 1006, 1007, 1008, 1009, 1010, 1116, 1117, \
                                1118, 1119, 2001, 2003, 2004, 3002, 5008

# define Windows Firewall Events
define WinFirewall              2005, 2006, 2009, 2033

# define Windows Update Error Events
define WinUpdateError           20, 25, 31, 34, 35

<Input Events>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Application">*</Select>
                <Select Path="Security">*</Select>
                <Select Path="System">*</Select>
                <Select Path="Windows PowerShell">*</Select>
                <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*</Select>
                <Select Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select>
                <Select Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">*</Select>
                <Select Path="Microsoft-Windows-AppLocker/Packaged app-Execution">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Program-Inventory">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Program-Telemetry">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Steps-Recorder">*</Select>
                <Select PATH="Microsoft-Windows-Backup">*</Select>
                <Select Path="Microsoft-Windows-CAPI2/Operational">*</Select>
                <Select Path="Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational">*</Select>
                <Select Path="Microsoft-Windows-CodeIntegrity/Operational">*</Select>
                <Select Path="Microsoft-Windows-DNS-Client/Operational">*</Select>
                <Select Path="Microsoft-Windows-GroupPolicy/Operational">*</Select>
                <Select PATH="Microsoft-Windows-Kernel-IO/Operational">*</Select>
                <Select Path="Microsoft-Windows-Kernel-PnP/Configuration">*</Select>
                <Select Path="Microsoft-Windows-LSA/Operational">*</Select>
                <Select Path="Microsoft-Windows-NTLM/Operational">*</Select>
                <Select Path="Microsoft-Windows-NetworkProfile/Operational">*</Select>
                <Select Path="Microsoft-Windows-PowerShell/Admin">*</Select>
                <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>
                <Select Path="Microsoft-Windows-PrintService/Admin">*</Select>
                <Select Path="Microsoft-Windows-PrintService/Operational">*</Select>
                <Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select>
                <Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational">*</Select>
                <Select Path="Microsoft-Windows-Time-Service/Operational">*</Select>
                <Select Path="Microsoft-Windows-User Profile Service/Operational">*</Select>
                <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>
                <Select Path="Microsoft-Windows-Windows Defender/WHC">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose">*</Select>
                <Select Path="Microsoft-Windows-WindowsUpdateClient/Operational">*</Select>
                <Select Path="OpenSSH/Operational">*</Select>
                <Select Path="PowerShellCore/Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    <Exec>
      if    ($EventID NOT IN (%AccountUsage%)) and
            ($EventID NOT IN (%AppCrashes%)) and
            ($EventID NOT IN (%AppWhitelisting%)) and
            ($EventID NOT IN (%BootEvents%)) and
            ($EventID NOT IN (%CertServices%)) and
            ($EventID NOT IN (%ClearingLogs%)) and
            ($EventID NOT IN (%DNSDirectoryServ%)) and
            ($EventID NOT IN (%ExtMedia%)) and
            ($EventID NOT IN (%GroupPolicyError%)) and
            ($EventID NOT IN (%Installation%)) and
            ($EventID NOT IN (%KernelDriver%)) and
            ($EventID NOT IN (%MSFTCryptoAPI%)) and
            ($EventID NOT IN (%MobileDeviceEvents%)) and
            ($EventID NOT IN (%NetworkHost%)) and
            ($EventID NOT IN (%PowerShell%)) and
            ($EventID NOT IN (%PrintingServices%)) and
            ($EventID NOT IN (%SystemIntegrity%)) and
            ($EventID NOT IN (%SystemServiceFail%)) and
            ($EventID NOT IN (%WinDefender%)) and
            ($EventID NOT IN (%WinFirewall%)) and
            ($EventID NOT IN (%WinUpdateError%)) drop();

    </Exec>
</Input>

<Processor buffer>
    Module pm_buffer
    MaxSize 102400
    Type disk
</Processor>

<Output out>
    Module  om_tcp
    Host    0.0.0.0
    Port    514
    Exec    to_json(); $Message = $raw_event; to_syslog_ietf();
</Output>

<Route 1>
    Path Events => buffer => out
</Route>