Capture Windows Event ID in Logs

View thread

adminman
Hey all, I want to be able to capture the event IDs of windows events in my SIEM but currently they don't come through and I'm not sure what changes need to be made to make them come through. Below are my config files and an example of how they come in. Any ideas? Thanks in advance How events come in: 10 Jul 2019 16:57:42.364Jul 10 12:57:40 FILESVR******** Service_Control_Manager[532]: The Microsoft Policy Platform Local Authority service entered the running state. 10 Jul 2019 16:57:43.385Jul 10 12:57:41 FILESVR******** Service_Control_Manager[532]: The Microsoft Policy Platform Processor service entered the running state. Config: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data Module xm_syslog Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 Module xm_exec Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') >= 5M)) \ file_cycle('%LOGFILE%', 8); # Rotate our log file every week on Sunday at midnight When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); Module im_msvistalog * * * Module om_tcp Host ******** Port ******** Exec to_syslog_bsd(); Path eventlog => tcp