Request trial
Request Trial

ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.

Tags: NXLog Enterprise Edition
#1 shahpasandi

Got this error while trying to forward windows 11 event logs to SIEM:

ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.

my  nxlog config is here

define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log


<Extension json>
Module      xm_json
</Extension>
<Extension fileop>
Module xm_fileop
</Extension>


Nxlog internal logs


<Input internal>
Module im_internal
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>


Win Event Log - Security


<Input inSecurityEvent>
Module im_msvistalog
Query <QueryList> <Query Id=""><Select Path="Security">*</Select></Query></QueryList>
Exec $Message = to_json();
</Input>
<Output outSecurityEvent>
Module om_tcp
Host X.X.X.X
Port 5060
Exec     $EventTime = strftime($EventTime, '%Y-%m-%dT%H:%M:%SZ'); 

to_json();
Exec to_json();
Exec file_write("C:\Program Files\nxlog\data\SecurityEvents_output.log", $raw_event);
</Output>
<Route 1>
Path inSecurityEvent => outSecurityEvent
</Route>

This works fine on other version of windows. the problem is windows 11

Permalink
#2 konstantinos Nxlog ✓
#1 shahpasandi
Got this error while trying to forward windows 11 event logs to SIEM:ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.my  nxlog config is heredefine ROOT C:\Program Files\nxlog #define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension json> Module xm_json </Extension> <Extension fileop> Module xm_fileop </Extension> Nxlog internal logs <Input internal> Module im_internal Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json(); </Input> Win Event Log - Security <Input inSecurityEvent> Module im_msvistalog Query <QueryList> <Query Id=""><Select Path="Security">*</Select></Query></QueryList> Exec $Message = to_json(); </Input> <Output outSecurityEvent> Module om_tcp Host X.X.X.X Port 5060 Exec $EventTime = strftime($EventTime, '%Y-%m-%dT%H:%M:%SZ'); to_json(); Exec to_json(); Exec file_write("C:\Program Files\nxlog\data\SecurityEvents_output.log", $raw_event); </Output> <Route 1> Path inSecurityEvent => outSecurityEvent </Route>This works fine on other version of windows. the problem is windows 11

Hi Mohammad,

Could you please try to define the channel in a different way:

<Input inSecurityEvent>
  Module im_msvistalog
  <QueryXML>
    <QueryList> 
     <Query Id='1'>
         <Select Path='Security'>*</Select>
     </Query>
    </QueryList>
  </QueryXML>
  Exec $Message = to_json();
</Input>

or

<Input inSecurityEvent>
  Module im_msvistalog
  Channel Security
  Exec $Message = to_json();
</Input>

I hope this helps.

Cheers,

Konstantinos

 
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS