Multiple log in Windows Events Log

View thread

santiagonahuel.sarchetti@bbva.com (Last updated )

Hi, I have a problem trying to send the raw event of Windows Server 2016. I have this configuration in nxlog.conf:

 Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data

define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension _syslog> Module xm_syslog </Extension>

<Extension _leef> Module xm_leef </Extension>

<Extension xml> Module xm_xml </Extension>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

<Extension _exec> Module xm_exec </Extension>

<Extension rewrite> Module xm_rewrite Keep EventXML </Extension>

<Input argentina> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[band(Keywords,13510798882111488)]]</Select> </Query> </QueryList> </QueryXML> </Input>

<Processor buffer1> Module pm_buffer MaxSize 102400 Type Mem </Processor>

<Output qradar> Module om_tcp Host XXX.XXX.XXX.XXX:514 Exec $raw_event = $EventXML; Exec delete_all(); </Output>

<Route r1> Path argentina => buffer1 => qradar </Route>

but in our SIEM i see this output (every line is a diferent log):

Mostrando image (22).png

I used "tcpdump" to saw if every log are diferent packets but i saw that it's only one packet but it has a special character that separete the line (i thought) .

Could someone help to solve this? maybe using “replace” or changing the encoding.

 

Thanks