Require Windows Event log in Raw XML Format
I am having trouble configuring NXlog Enterprise to forward Windows Event log in the original raw XML format that is shown in the XML View in Details Tab. The required data is:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Name="Microsoft-Windows-Security-Auditing"/>
<EventID>4624</EventID>
<Version>2</Version>
<Level>Information</Level>
<Task>Logon</Task>
<Opcode>Info</Opcode>
<Keywords>Audit Success</Keywords>
<TimeCreated SystemTime="2022-09-15T07:25:38.254241000Z"/>
<EventRecordID>6733</EventRecordID>
<Correlation ActivityID="{9C53E768-C82B-0003-78E7-539C2BC8D801}"/>
<Execution ProcessID="772" ThreadID="19980"/>
<Channel>Security</Channel>
<Computer>Redacted01</Computer>
<Security/>
</System>
<EventData>
<Data Name="SubjectUserSid">NT AUTHORITY\SYSTEM</Data>
<Data Name="SubjectUserName">Redacted01$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">Redacted01\Redacted03</Data>
<Data Name="TargetUserName">Redacted03</Data>
<Data Name="TargetDomainName">Redacted01</Data>
<Data Name="TargetLogonId">0x45b8d14</Data>
<Data Name="LogonType">7</Data>
<Data Name="LogonProcessName">User32 </Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">Redacted01</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x438</Data>
<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
<Data Name="IpAddress">Redacted02</Data>
<Data Name="IpPort">0</Data>
<Data Name="ImpersonationLevel">Impersonation</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">No</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">Yes</Data>
</EventData>
</Event>
The data I am currently receiving is the informatio in the General Tab instead.
I have applied the following configuration to convert the data in XML format:
define ROOT C:\Program Files\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Extension xml>
Module xm_xml
</Extension>
<Input in_win>
Module im_msvistalog
Query <QueryList> \
<Query Id="0"> \
<Select Path="Application">*</Select> \
<Select Path="System">*</Select> \
<Select Path="Security">*</Select> \
</Query> \
</QueryList>
Exec $Message=$EventXML;$log_type=$event_trace;to_xml();
</Input>
<Output out_win>
Module om_udp
Host 192.168.108.201:514
</Output>
<Route 2>
Path in_win => out_win
</Route>
However, I am not able to get the desired output. The data I am currently receiving is:
09 15 2022 03:53:34 192.168.115.4 <USER:NOTE> <EventTime>2022-09-15 16:38:31</EventTime><Hostname>SOCJH-04.cryptogennepal.com</Hostname><Keywords>9232379236109516800</Keywords><EventType>AUDIT_SUCCESS</EventType><SeverityValue>2</SeverityValue><Severity>INFO</Severity><EventID>4624</EventID><SourceName>Microsoft-Windows-Security-Auditing</SourceName><ProviderGuid>{54849625-5478-4994-A5BA-3E3B0328C30D}</ProviderGuid><Version>2</Version><TaskValue>12544</TaskValue><OpcodeValue>0</OpcodeValue><RecordNumber>189928</RecordNumber><ExecutionProcessID>748</ExecutionProcessID><ExecutionThreadID>11540</ExecutionThreadID><Channel>Security</Channel><Message/><Category>Logon</Category><Opcode>Info</Opcode><SubjectUserSid>S-1-5-18</SubjectUserSid><SubjectUserName>SOCJH-04$</SubjectUserName><SubjectDomainName>CGN</SubjectDomainName><SubjectLogonId>0x3e7</SubjectLogonId><TargetUserSid>S-1-5-21-1983202128-2021996171-226450221-1105</TargetUserSid><TargetUserName>srijan.kafle</TargetUserName><TargetDomainName>CGN</TargetDomainName><TargetLogonId>0x1e170ee</TargetLogonId><LogonType>7</LogonType><LogonProcessName>Negotiat</LogonProcessName><AuthenticationPackageName>Negotiate</AuthenticationPackageName><WorkstationName>SOCJH-04</WorkstationName><LogonGuid>{4eaf9196-9215-5425-4e8c-729f74b2f1ce}</LogonGuid><TransmittedServices>-</TransmittedServices><LmPackageName>-</LmPackageName><KeyLength>0</KeyLength><ProcessId>0x2ec</ProcessId><ProcessName>C:\Windows\System32\lsass.exe</ProcessName><IpAddress>-</IpAddress><IpPort>-</IpPort><ImpersonationLevel>%%1833</ImpersonationLevel><RestrictedAdminMode>-</RestrictedAdminMode><TargetOutboundUserName>-</TargetOutboundUserName><TargetOutboundDomainName>-</TargetOutboundDomainName><VirtualAccount>%%1843</VirtualAccount><TargetLinkedLogonId>0x0</TargetLinkedLogonId><ElevatedToken>%%1843</ElevatedToken><EventReceivedTime>2022-09-15 16:38:33</EventReceivedTime><SourceModuleName>in_win</SourceModuleName><SourceModuleType>im_msvistalog</SourceModuleType><log_type/></Event>
Requesting assistance/documentation to achieve the desired log format