Require Windows Event log in Raw XML Format


#1 Srijan

I am having trouble configuring NXlog Enterprise to forward Windows Event log in the original raw XML format that is shown in the XML View in Details Tab. The required data is:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
	<System>
		<Provider Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Name="Microsoft-Windows-Security-Auditing"/>
		<EventID>4624</EventID>
		<Version>2</Version>
		<Level>Information</Level>
		<Task>Logon</Task>
		<Opcode>Info</Opcode>
		<Keywords>Audit Success</Keywords>
		<TimeCreated SystemTime="2022-09-15T07:25:38.254241000Z"/>
		<EventRecordID>6733</EventRecordID>
		<Correlation ActivityID="{9C53E768-C82B-0003-78E7-539C2BC8D801}"/>
		<Execution ProcessID="772" ThreadID="19980"/>
		<Channel>Security</Channel>
		<Computer>Redacted01</Computer>
		<Security/>
	</System>
	<EventData>
		<Data Name="SubjectUserSid">NT AUTHORITY\SYSTEM</Data>
		<Data Name="SubjectUserName">Redacted01$</Data>
		<Data Name="SubjectDomainName">WORKGROUP</Data>
		<Data Name="SubjectLogonId">0x3e7</Data>
		<Data Name="TargetUserSid">Redacted01\Redacted03</Data>
		<Data Name="TargetUserName">Redacted03</Data>
		<Data Name="TargetDomainName">Redacted01</Data>
		<Data Name="TargetLogonId">0x45b8d14</Data>
		<Data Name="LogonType">7</Data>
		<Data Name="LogonProcessName">User32 </Data>
		<Data Name="AuthenticationPackageName">Negotiate</Data>
		<Data Name="WorkstationName">Redacted01</Data>
		<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
		<Data Name="TransmittedServices">-</Data>
		<Data Name="LmPackageName">-</Data>
		<Data Name="KeyLength">0</Data>
		<Data Name="ProcessId">0x438</Data>
		<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
		<Data Name="IpAddress">Redacted02</Data>
		<Data Name="IpPort">0</Data>
		<Data Name="ImpersonationLevel">Impersonation</Data>
		<Data Name="RestrictedAdminMode">-</Data>
		<Data Name="TargetOutboundUserName">-</Data>
		<Data Name="TargetOutboundDomainName">-</Data>
		<Data Name="VirtualAccount">No</Data>
		<Data Name="TargetLinkedLogonId">0x0</Data>
		<Data Name="ElevatedToken">Yes</Data>
	</EventData>
</Event>

The data I am currently receiving is the informatio in the General Tab instead.

I have applied the following configuration to convert the data in XML format:

define ROOT C:\Program Files\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module xm_syslog
</Extension>

<Extension _json>
    Module xm_json
</Extension>

<Extension xml>
    Module xm_xml
</Extension>

<Input in_win>
    Module im_msvistalog
        Query <QueryList> \
            <Query Id="0"> \
                <Select Path="Application">*</Select> \
                <Select Path="System">*</Select> \
                <Select Path="Security">*</Select> \
            </Query> \
        </QueryList>
	Exec $Message=$EventXML;$log_type=$event_trace;to_xml();
</Input>

<Output out_win>
    Module om_udp
        Host 192.168.108.201:514
</Output>

<Route 2>
    Path in_win => out_win
</Route>

However, I am not able to get the desired output. The data I am currently receiving is:

09 15 2022 03:53:34 192.168.115.4 <USER:NOTE> <EventTime>2022-09-15 16:38:31</EventTime><Hostname>SOCJH-04.cryptogennepal.com</Hostname><Keywords>9232379236109516800</Keywords><EventType>AUDIT_SUCCESS</EventType><SeverityValue>2</SeverityValue><Severity>INFO</Severity><EventID>4624</EventID><SourceName>Microsoft-Windows-Security-Auditing</SourceName><ProviderGuid>{54849625-5478-4994-A5BA-3E3B0328C30D}</ProviderGuid><Version>2</Version><TaskValue>12544</TaskValue><OpcodeValue>0</OpcodeValue><RecordNumber>189928</RecordNumber><ExecutionProcessID>748</ExecutionProcessID><ExecutionThreadID>11540</ExecutionThreadID><Channel>Security</Channel><Message/><Category>Logon</Category><Opcode>Info</Opcode><SubjectUserSid>S-1-5-18</SubjectUserSid><SubjectUserName>SOCJH-04$</SubjectUserName><SubjectDomainName>CGN</SubjectDomainName><SubjectLogonId>0x3e7</SubjectLogonId><TargetUserSid>S-1-5-21-1983202128-2021996171-226450221-1105</TargetUserSid><TargetUserName>srijan.kafle</TargetUserName><TargetDomainName>CGN</TargetDomainName><TargetLogonId>0x1e170ee</TargetLogonId><LogonType>7</LogonType><LogonProcessName>Negotiat</LogonProcessName><AuthenticationPackageName>Negotiate</AuthenticationPackageName><WorkstationName>SOCJH-04</WorkstationName><LogonGuid>{4eaf9196-9215-5425-4e8c-729f74b2f1ce}</LogonGuid><TransmittedServices>-</TransmittedServices><LmPackageName>-</LmPackageName><KeyLength>0</KeyLength><ProcessId>0x2ec</ProcessId><ProcessName>C:\Windows\System32\lsass.exe</ProcessName><IpAddress>-</IpAddress><IpPort>-</IpPort><ImpersonationLevel>%%1833</ImpersonationLevel><RestrictedAdminMode>-</RestrictedAdminMode><TargetOutboundUserName>-</TargetOutboundUserName><TargetOutboundDomainName>-</TargetOutboundDomainName><VirtualAccount>%%1843</VirtualAccount><TargetLinkedLogonId>0x0</TargetLinkedLogonId><ElevatedToken>%%1843</ElevatedToken><EventReceivedTime>2022-09-15 16:38:33</EventReceivedTime><SourceModuleName>in_win</SourceModuleName><SourceModuleType>im_msvistalog</SourceModuleType><log_type/></Event>

Requesting assistance/documentation to achieve the desired log format

#2 KlevinDeactivated Nxlog ✓
#1 Srijan
I am having trouble configuring NXlog Enterprise to forward Windows Event log in the original raw XML format that is shown in the XML View in Details Tab. The required data is: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Name="Microsoft-Windows-Security-Auditing"/> <EventID>4624</EventID> <Version>2</Version> <Level>Information</Level> <Task>Logon</Task> <Opcode>Info</Opcode> <Keywords>Audit Success</Keywords> <TimeCreated SystemTime="2022-09-15T07:25:38.254241000Z"/> <EventRecordID>6733</EventRecordID> <Correlation ActivityID="{9C53E768-C82B-0003-78E7-539C2BC8D801}"/> <Execution ProcessID="772" ThreadID="19980"/> <Channel>Security</Channel> <Computer>Redacted01</Computer> <Security/> </System> <EventData> <Data Name="SubjectUserSid">NT AUTHORITY\SYSTEM</Data> <Data Name="SubjectUserName">Redacted01$</Data> <Data Name="SubjectDomainName">WORKGROUP</Data> <Data Name="SubjectLogonId">0x3e7</Data> <Data Name="TargetUserSid">Redacted01\Redacted03</Data> <Data Name="TargetUserName">Redacted03</Data> <Data Name="TargetDomainName">Redacted01</Data> <Data Name="TargetLogonId">0x45b8d14</Data> <Data Name="LogonType">7</Data> <Data Name="LogonProcessName">User32 </Data> <Data Name="AuthenticationPackageName">Negotiate</Data> <Data Name="WorkstationName">Redacted01</Data> <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> <Data Name="KeyLength">0</Data> <Data Name="ProcessId">0x438</Data> <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data> <Data Name="IpAddress">Redacted02</Data> <Data Name="IpPort">0</Data> <Data Name="ImpersonationLevel">Impersonation</Data> <Data Name="RestrictedAdminMode">-</Data> <Data Name="TargetOutboundUserName">-</Data> <Data Name="TargetOutboundDomainName">-</Data> <Data Name="VirtualAccount">No</Data> <Data Name="TargetLinkedLogonId">0x0</Data> <Data Name="ElevatedToken">Yes</Data> </EventData> </Event> The data I am currently receiving is the informatio in the General Tab instead. I have applied the following configuration to convert the data in XML format: define ROOT C:\Program Files\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _syslog> Module xm_syslog </Extension> <Extension _json> Module xm_json </Extension> <Extension xml> Module xm_xml </Extension> <Input in_win> Module im_msvistalog Query <QueryList> \ <Query Id="0"> \ <Select Path="Application">*</Select> \ <Select Path="System">*</Select> \ <Select Path="Security">*</Select> \ </Query> \ </QueryList> Exec $Message=$EventXML;$log_type=$event_trace;to_xml(); </Input> <Output out_win> Module om_udp Host 192.168.108.201:514 </Output> <Route 2> Path in_win => out_win </Route> However, I am not able to get the desired output. The data I am currently receiving is: 09 15 2022 03:53:34 192.168.115.4 <USER:NOTE> <EventTime>2022-09-15 16:38:31</EventTime><Hostname>SOCJH-04.cryptogennepal.com</Hostname><Keywords>9232379236109516800</Keywords><EventType>AUDIT_SUCCESS</EventType><SeverityValue>2</SeverityValue><Severity>INFO</Severity><EventID>4624</EventID><SourceName>Microsoft-Windows-Security-Auditing</SourceName><ProviderGuid>{54849625-5478-4994-A5BA-3E3B0328C30D}</ProviderGuid><Version>2</Version><TaskValue>12544</TaskValue><OpcodeValue>0</OpcodeValue><RecordNumber>189928</RecordNumber><ExecutionProcessID>748</ExecutionProcessID><ExecutionThreadID>11540</ExecutionThreadID><Channel>Security</Channel><Message/><Category>Logon</Category><Opcode>Info</Opcode><SubjectUserSid>S-1-5-18</SubjectUserSid><SubjectUserName>SOCJH-04$</SubjectUserName><SubjectDomainName>CGN</SubjectDomainName><SubjectLogonId>0x3e7</SubjectLogonId><TargetUserSid>S-1-5-21-1983202128-2021996171-226450221-1105</TargetUserSid><TargetUserName>srijan.kafle</TargetUserName><TargetDomainName>CGN</TargetDomainName><TargetLogonId>0x1e170ee</TargetLogonId><LogonType>7</LogonType><LogonProcessName>Negotiat</LogonProcessName><AuthenticationPackageName>Negotiate</AuthenticationPackageName><WorkstationName>SOCJH-04</WorkstationName><LogonGuid>{4eaf9196-9215-5425-4e8c-729f74b2f1ce}</LogonGuid><TransmittedServices>-</TransmittedServices><LmPackageName>-</LmPackageName><KeyLength>0</KeyLength><ProcessId>0x2ec</ProcessId><ProcessName>C:\Windows\System32\lsass.exe</ProcessName><IpAddress>-</IpAddress><IpPort>-</IpPort><ImpersonationLevel>%%1833</ImpersonationLevel><RestrictedAdminMode>-</RestrictedAdminMode><TargetOutboundUserName>-</TargetOutboundUserName><TargetOutboundDomainName>-</TargetOutboundDomainName><VirtualAccount>%%1843</VirtualAccount><TargetLinkedLogonId>0x0</TargetLinkedLogonId><ElevatedToken>%%1843</ElevatedToken><EventReceivedTime>2022-09-15 16:38:33</EventReceivedTime><SourceModuleName>in_win</SourceModuleName><SourceModuleType>im_msvistalog</SourceModuleType><log_type/></Event> Requesting assistance/documentation to achieve the desired log format

Hello Sir,

Please check the following example in our documentation .

Sincerely Klevin