Configuration to send Windows Security Logs only

View thread

cwalter

Hello,  I am testing nxlog to see if it works with sending security logs to our SIEM.  I only want to send the security Events on our servers, and have our config file as shown:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
    Module xm_syslog
</Extension>

<Input internal>
    Module im_internal
</Input>

<Input eventlog>
    Module im_msvistalog
# Uncomment the following to collect specific event logs only
     Query <QueryList>\
               <Query Id="0">\
#                  <Select Path="Application">*</Select>\
#                  <Select Path="System">*</Select>\
                   <Select Path="Security">*</Select>\
               </Query>\
           </QueryList>  
</Input>

<Output out>
    Module      om_udp
    Host        10.250.254.19
    Port        514
    Exec        to_syslog_snare();
</Output>

<Route 1>
    Path        eventlog, internal => out
</Route>

 

I get some security logs, but many are missing, like logon/logoff events (4624, 4634) 

1. - why are these events missing   and

2.  Eventually, I would like to only send certain Event ID"s to our SIEM, and hope to get help with an example of what the query would look like with the specific Event ID's needed.

I will want to just send PCI Event ID's to our SEIM for retention.