Let's Talk
Let's Talk

Windows logs EventReceivedTime is late than EventTime - im_msvistalog

View thread
Rasan (Last updated )

I am using nxlog to get my Windows logs from a Domain Controller into a SIEM. I am using the im_msvistalog module. 

Problem

I am receiving logs with large amount of delay. The EventReceivedTime is much later than the EventTime. Please have a look at one of the sample logs output from nxlog. 

<14>Jun 24 10:56:26 EXHost1.Example.net Microsoft-Windows-Security-Auditing[0x28c0]: {
"EventTime":"2025-06-24T10:56:26.039509+02:00",
"Hostname":"EXHost1.Example.net","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4674,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{91548763-9812-1113-B4AC-12BAC98DDE11}","Version":0,"TaskValue":13056,"OpcodeValue":0,"RecordNumber":355721231415,"ExecutionProcessID":4,"ExecutionThreadID":13033,"Channel":"Security","Message":"An operation was attempted on a privileged object.","Category":"Sensitive Privilege Use","Opcode":"Info","SubjectUserSid":"S-1-5-21-3604662650-2432062322-1707920734-40372","SubjectUserName":"Test_Subject","SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x12ab121bc","ObjectServer":"Security","ObjectType":"-","ObjectName":"-","HandleId":"0x1168","AccessMask":"1048577","PrivilegeList":"SeBackupPrivilege","ProcessId":"0x28c0","ProcessName":"C:\\EXAMPLE\\HELLO\\HELLOBIN\\yxnw3018\\dispatch\\knex3alo.exe",
"EventReceivedTime":"2025-06-24T13:04:13.896816+02:00",
"SourceModuleName":"i_win","SourceModuleType":"im_msvistalog"}

The delays are not consistent. The delays can be ranging from about 10 minutes to sometimes 2 or 3 hours. I have tried to find a pattern but failed to do so. 

The resources in the Windows device is sufficient and there has been no outstanding logs in nxlog/nxlog.log file. 

Config

Here is the snippet of my config that I am using. Any help would be highly appreciated. 

...
<Extension _syslog>
    Module  xm_syslog
</Extension>

<Extension _json>
Module xm_json
</Extension>


<Input in>
Module im_msvistalog
</Input>


<Output out>
Module om_tcp
Host	10.xx.xx.xx
Port	514
Exec 	to_json();$Message=$raw_event;to_syslog_bsd();
</Output>


<Route 1>
Path in=>out
</Route>