om_file to write in .evtx files | Log collection solutions

#1 snehal 8 years ago

Hi,

I want to store my logs in .evtx file in windows. I tried following configuration.

<Output out2>
Module om_file
File '%ROOT%\tmp\test.evtx'

</Output>

This created evtx file but it was also opening with notepad, wordpad,etc. For security purpose, I want to make it open with MS EventViewer API only.

Is this possible using nxlog om_file module? Is there any plugin for nxlog to store data in .evtx files?

Permalink

#2 b0ti Nxlog ✓ 8 years ago

#1 snehal

Hi, I want to store my logs in .evtx file in windows. I tried following configuration. <Output out2> Module om_file File '%ROOT%\tmp\test.evtx' </Output> This created evtx file but it was also opening with notepad, wordpad,etc. For security purpose, I want to make it open with MS EventViewer API only. Is this possible using nxlog om_file module? Is there any plugin for nxlog to store data in .evtx files?

There is no support for writing .evtx files in NXLog currently.

im_file can write both text or binary data but it needs to be in the correct format. EVTX is a proprietary binary format and only the Windows Eventlog API can write this.

Just because evtx can not be opened with a text viewer does not mean your data is more secure. You should have proper access control in place instead of trying to hide data in a binary format.