Let's Talk
Let's Talk

Windows EventData not captured

View thread
traz
Hi, I'm using the im_msvistalog input to grab events from the Windows security log however the important information is being ignored. This is one my Windows events: 411 0 3 0x8090000000000000 85712874 Security server1 00000000-0000-0000-0000-000000000000 http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName user1@domain.com System.IdentityModel.Tokens.SecurityTokenValidationException: user1@domain.com at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token) 8.8.8.8 Token validation failed. See inner exception for more details. Additional Data Activity ID: 00000000-0000-0000-0000-000000000000 Token Type: http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName Client IP: 8.8.8.8 Error message: user1@domain.com Exception details: System.IdentityModel.Tokens.SecurityTokenValidationException: user1@domain.com at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token) Information Info Audit FailureClassic As you can see, the relevant information is between EventData and Message tags. But this information does not appear in the output message: {"EventTime":"2018-11-06 09:22:29" ,"Hostname":"server1" ,"Keywords":-9182839640208441344 ,"EventType":"AUDIT_FAILURE" ,"SeverityValue":4 ,"Severity":"ERROR" ,"EventID":411 ,"SourceName":"AD FS Auditing" ,"Task":3 ,"RecordNumber":85712874 ,"ProcessID":0 ,"ThreadID":0 ,"Channel":"Security" ,"Domain":"domain.com" ,"AccountName":"service1" ,"AccountType":"User" ,"EventReceivedTime":"2018-11-06 09:22:31" ,"SourceModuleName":"eventlog" ,"SourceModuleType":"im_msvistalog" } This is my nxlog config: Module im_msvistalog Channel ForwardedEvents Exec $Message = to_json(); Module om_tcp Host graylog.server.com Port 1111 OutputType GELF_TCP Path eventlog => graylog According to the [docs](https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#im_msvistalog), Data between EvenData tags is automatically extracted if it is named, but it isn't in my case. Can data be extracted manually somehow? I'm running nxlog CE 2.9. Thanks