Windows Event Logs out in XML


#1 Santiago Sarchetti (Last updated )

Hello, I´m trying to send logs from my windows server to my SIEM in XML format, but same logs are too long and i see 2 logs instead of just one. 

<Input windows>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
          <Query Id="0" Path="Security">
           <Select Path="Security">*</Select>
           <Suppress Path="Security">*[System[(EventID=4663 or EventID=4690 or EventID=4658 or EventID=4656)]]</Suppress>
          </Query>
        </QueryList>
    </QueryXML>
</Input>
#    
<Output siem>
    Module      om_tcp
    Host        xxx.xxx.xxx.xxx
    Port        514
    Exec        to_xml();
</Output>
# 
# Connect input 'in' to output 'out'
<Route 1>
    Path        windows => siem
</Route>

 

Can anyone help me?

Thanks

#2 gahorvath

Hi Santiago,

 

would you be able to share a log sample?

You can capture it by adding one more output like so:

...
<Output file>
   Module om_file
   File 'C:\TEMP\out.log'
</Output>

<Route 1> Path windows => siem, file </Route>

We do not intentionally wrap the log lines, this needs more investigation.

Gabor