om_file to write in .evtx files


#1 snehal

Hi,

I want to store my logs in .evtx file in windows. I tried following configuration.

<Output out2>    
    Module      om_file
  File     '%ROOT%\tmp\test.evtx'

</Output>

This created evtx file but it was also opening with notepad, wordpad,etc. For security purpose, I want to make it open with MS EventViewer API only.

Is this possible using nxlog om_file module? Is there any plugin for nxlog to store data in .evtx files?

#2 b0ti Nxlog ✓
#1 snehal
Hi, I want to store my logs in .evtx file in windows. I tried following configuration. <Output out2>         Module      om_file   File     '%ROOT%\tmp\test.evtx' </Output> This created evtx file but it was also opening with notepad, wordpad,etc. For security purpose, I want to make it open with MS EventViewer API only. Is this possible using nxlog om_file module? Is there any plugin for nxlog to store data in .evtx files?

There is no support for writing .evtx files in NXLog currently.

im_file can write both text or binary data but it needs to be in the correct format. EVTX is a proprietary binary format and only the Windows Eventlog API can write this.

Just because evtx can not be opened with a text viewer does not mean your data is more secure. You should have proper access control in place instead of trying to hide data in a binary format.