Windows Event Logs out in XML
Tags:
NXLog Community Edition
#1
Santiago Sarchetti
(Last updated
)
Hello, I´m trying to send logs from my windows server to my SIEM in XML format, but same logs are too long and i see 2 logs instead of just one.
<Input windows>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*</Select>
<Suppress Path="Security">*[System[(EventID=4663 or EventID=4690 or EventID=4658 or EventID=4656)]]</Suppress>
</Query>
</QueryList>
</QueryXML>
</Input>
#
<Output siem>
Module om_tcp
Host xxx.xxx.xxx.xxx
Port 514
Exec to_xml();
</Output>
#
# Connect input 'in' to output 'out'
<Route 1>
Path windows => siem
</Route>
Can anyone help me?
Thanks
Hi Santiago,
would you be able to share a log sample?
You can capture it by adding one more output like so:
...
<Output file>
Module om_file
File 'C:\TEMP\out.log'
</Output>
<Route 1>
Path windows => siem, file
</Route>
We do not intentionally wrap the log lines, this needs more investigation.
Gabor