Require Windows Event log in Raw XML Format
Tags:
im_msvistalog
#1
Srijan
I am having trouble configuring NXlog Enterprise to forward Windows Event log in the original raw XML format that is shown in the XML View in Details Tab. The required data is:
4624
2
Information
Logon
Info
Audit Success
6733
Security
Redacted01
NT AUTHORITY\SYSTEM
Redacted01$
WORKGROUP
0x3e7
Redacted01\Redacted03
Redacted03
Redacted01
0x45b8d14
7
User32
Negotiate
Redacted01
{00000000-0000-0000-0000-000000000000}
-
-
0
0x438
C:\Windows\System32\svchost.exe
Redacted02
0
Impersonation
-
-
-
No
0x0
Yes
The data I am currently receiving is the informatio in the General Tab instead.
I have applied the following configuration to convert the data in XML format:
define ROOT C:\Program Files\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
Module xm_syslog
Module xm_json
Module xm_xml
Module im_msvistalog
Query \
\
* \
* \
* \
\
Exec $Message=$EventXML;$log_type=$event_trace;to_xml();
Module om_udp
Host 192.168.108.201:514
Path in_win => out_win
However, I am not able to get the desired output. The data I am currently receiving is:
09 15 2022 03:53:34 192.168.115.4 2022-09-15 16:38:31SOCJH-04.cryptogennepal.com9232379236109516800AUDIT_SUCCESS2INFO4624Microsoft-Windows-Security-Auditing{54849625-5478-4994-A5BA-3E3B0328C30D}212544018992874811540SecurityLogonInfoS-1-5-18SOCJH-04$CGN0x3e7S-1-5-21-1983202128-2021996171-226450221-1105srijan.kafleCGN0x1e170ee7NegotiatNegotiateSOCJH-04{4eaf9196-9215-5425-4e8c-729f74b2f1ce}--00x2ecC:\Windows\System32\lsass.exe--%%1833---%%18430x0%%18432022-09-15 16:38:33in_winim_msvistalog
Requesting assistance/documentation to achieve the desired log format
#1
Srijan
I am having trouble configuring NXlog Enterprise to forward Windows Event log in the original raw XML format that is shown in the XML View in Details Tab. The required data is:
4624
2
Information
Logon
Info
Audit Success
6733
Security
Redacted01
NT AUTHORITY\SYSTEM
Redacted01$
WORKGROUP
0x3e7
Redacted01\Redacted03
Redacted03
Redacted01
0x45b8d14
7
User32
Negotiate
Redacted01
{00000000-0000-0000-0000-000000000000}
-
-
0
0x438
C:\Windows\System32\svchost.exe
Redacted02
0
Impersonation
-
-
-
No
0x0
Yes
The data I am currently receiving is the informatio in the General Tab instead.
I have applied the following configuration to convert the data in XML format:
define ROOT C:\Program Files\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
Module xm_syslog
Module xm_json
Module xm_xml
Module im_msvistalog
Query \
\
* \
* \
* \
\
Exec $Message=$EventXML;$log_type=$event_trace;to_xml();
Module om_udp
Host 192.168.108.201:514
Path in_win => out_win
However, I am not able to get the desired output. The data I am currently receiving is:
09 15 2022 03:53:34 192.168.115.4 2022-09-15 16:38:31SOCJH-04.cryptogennepal.com9232379236109516800AUDIT_SUCCESS2INFO4624Microsoft-Windows-Security-Auditing{54849625-5478-4994-A5BA-3E3B0328C30D}212544018992874811540SecurityLogonInfoS-1-5-18SOCJH-04$CGN0x3e7S-1-5-21-1983202128-2021996171-226450221-1105srijan.kafleCGN0x1e170ee7NegotiatNegotiateSOCJH-04{4eaf9196-9215-5425-4e8c-729f74b2f1ce}--00x2ecC:\Windows\System32\lsass.exe--%%1833---%%18430x0%%18432022-09-15 16:38:33in_winim_msvistalog
Requesting assistance/documentation to achieve the desired log format
Hello Sir,
Please check the following example in our documentation .
Sincerely Klevin
