Windows logs EventReceivedTime is late than EventTime - im_msvistalog
I am using nxlog to get my Windows logs from a Domain Controller into a SIEM. I am using the im_msvistalog module.
Problem
I am receiving logs with large amount of delay. The EventReceivedTime is much later than the EventTime. Please have a look at one of the sample logs output from nxlog.
<14>Jun 24 10:56:26 EXHost1.Example.net Microsoft-Windows-Security-Auditing[0x28c0]: {
"EventTime":"2025-06-24T10:56:26.039509+02:00",
"Hostname":"EXHost1.Example.net","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4674,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{91548763-9812-1113-B4AC-12BAC98DDE11}","Version":0,"TaskValue":13056,"OpcodeValue":0,"RecordNumber":355721231415,"ExecutionProcessID":4,"ExecutionThreadID":13033,"Channel":"Security","Message":"An operation was attempted on a privileged object.","Category":"Sensitive Privilege Use","Opcode":"Info","SubjectUserSid":"S-1-5-21-3604662650-2432062322-1707920734-40372","SubjectUserName":"Test_Subject","SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x12ab121bc","ObjectServer":"Security","ObjectType":"-","ObjectName":"-","HandleId":"0x1168","AccessMask":"1048577","PrivilegeList":"SeBackupPrivilege","ProcessId":"0x28c0","ProcessName":"C:\\EXAMPLE\\HELLO\\HELLOBIN\\yxnw3018\\dispatch\\knex3alo.exe",
"EventReceivedTime":"2025-06-24T13:04:13.896816+02:00",
"SourceModuleName":"i_win","SourceModuleType":"im_msvistalog"}The delays are not consistent. The delays can be ranging from about 10 minutes to sometimes 2 or 3 hours. I have tried to find a pattern but failed to do so.
The resources in the Windows device is sufficient and there has been no outstanding logs in nxlog/nxlog.log file.
Config
Here is the snippet of my config that I am using. Any help would be highly appreciated.
...
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Input in>
Module im_msvistalog
</Input>
<Output out>
Module om_tcp
Host 10.xx.xx.xx
Port 514
Exec to_json();$Message=$raw_event;to_syslog_bsd();
</Output>
<Route 1>
Path in=>out
</Route>
Hello.
We are aware of this behavior on some hosts for other customers. Unfortunately, it takes place somewhere inside Windows. For the case I personally investigated, the delay for AppCrash reports occurred somewhere between WER (Event Crash Reporter, former DrWatson, if somebody remembers) and Windows Event Log itself. We grabbed this data from WER reports, so it happens before the NXLog software touches it.
It's LDAP time format - you can check yourself: https://www.epochconverter.com/ldap
The longest delay I've seen is around 3 weeks. I do not know why is it delayed.
We tried to report this behavior to Microsoft, both directly and via that client. Unfortunately, we did not get a meaningful response.
At least, I can assure you that $EventTime contains a timestamp when the event happened, as it is extracted from the original structure.
