Forwarding events in EVTX file via syslog

Tags:

#1 jprad

Initiated a 30-day trial today to test what I had thought would be a fairly straightforward use case.

The following config works fine to forward Windows events from the local machine via syslog, but when I add the File directive for im_msvistalog to the Input module section the events in the file are not forwarded over syslog. The file is correctly formatted and can be read via the event viewer. I also tested writing the contents of the file to a local json file as-per examples in the documentation, that worked fine as well.

The file is publicly available at: https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_sysmon-3-rdp-tun.evtx

Here are the contents of the config file:

NoCache True define LOGHOST 192.168.xxx.xxx

<Extension syslog> Module xm_syslog </Extension>

<Input event_in> Module im_msvistalog File C:\Program Files\nxlog\logs\test_log.evtx Exec $Hostname = hostname(); </Input>

<Output tcp_out> Module om_tcp Host %LOGHOST%:514 Exec to_syslog_snare(); </Output>

<Route 1> Path event_in => tcp_out </Route>

#2 Gabor.SzidonyaDeactivated Nxlog ✓
#1 jprad
Initiated a 30-day trial today to test what I had thought would be a fairly straightforward use case. The following config works fine to forward Windows events from the local machine via syslog, but when I add the File directive for im_msvistalog to the Input module section the events in the file are not forwarded over syslog. The file is correctly formatted and can be read via the event viewer. I also tested writing the contents of the file to a local json file as-per examples in the documentation, that worked fine as well. The file is publicly available at: https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_sysmon-3-rdp-tun.evtx Here are the contents of the config file: NoCache True define LOGHOST 192.168.xxx.xxx <Extension syslog> Module xm_syslog </Extension> <Input event_in> Module im_msvistalog File C:\Program Files\nxlog\logs\test_log.evtx Exec $Hostname = hostname(); </Input> <Output tcp_out> Module om_tcp Host %LOGHOST%:514 Exec to_syslog_snare(); </Output> <Route 1> Path event_in => tcp_out </Route>

Hi,

The im_msvistalog is responsible of log collection from the Windows Events, but no file input is allowed in the module. For that you need to use the im_file with the path of the input file. Since these are two separated modules, they need to be defined independently, and you can add both to the same route at the end of the configuration. Please try to change the configuration to something like this:

NoCache True define LOGHOST 192.168.xxx.xxx

<Extension syslog> Module xm_syslog </Extension>

<Input event_in> Module im_msvistalog SavePos TRUE ReadFromLast TRUE Exec $Hostname = hostname(); </Input>

<Input file_in> Module im_file File C:\Program Files\nxlog\logs\test_log.evtx InputType LineBased SavePos TRUE Exec $Hostname = hostname(); </Input>

<Output tcp_out> Module om_tcp Host %LOGHOST%:514 Exec to_syslog_snare(); </Output>

<Route 1> Path event_in, file_in => tcp_out </Route>