Capture Windows Event ID in Logs
Hey all,
I want to be able to capture the event IDs of windows events in my SIEM but currently they don't come through and I'm not sure what changes need to be made to make them come through. Below are my config files and an example of how they come in. Any ideas? Thanks in advance
How events come in:
10 Jul 2019 16:57:42.364<14>Jul 10 12:57:40 FILESVR******** Service_Control_Manager[532]: The Microsoft Policy Platform Local Authority service entered the running state.
10 Jul 2019 16:57:43.385<14>Jul 10 12:57:41 FILESVR******** Service_Control_Manager[532]: The Microsoft Policy Platform Processor service entered the running state.
Config:
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
<Input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='Application'>*</Select>
<Select Path='Security'>*</Select>
<Select Path='System'>*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Output tcp>
Module om_tcp
Host ********
Port ********
Exec to_syslog_bsd();
</Output>
<Route eventlog_to_tcp>
Path eventlog => tcp
</Route>
Hello,
You could re-write the $Message field as follows:
Exec $Message = 'EventID: ' + $EventID + ' ' + $Message;
This would give you :
2019-07-10 14:46:14 INFO <14>Jul 10 14:46:13 WIN-LU43V8BOQ6J Service_Control_Manager[572]: EventID: 7036 The Microsoft Account Sign-in Assistant service entered the stopped state.
Or you could grab all fields by adding a $Message = to_json();
instead.
Exec $Message = to_json(); to_syslog_bsd();
2019-07-10 14:48:08 INFO <14>Jul 10 14:48:06 WIN-LU43V8BOQ6J Service_Control_Manager[572]: {"EventTime":"2019-07-10 14:48:06","Hostname":"WIN-LU43V8BOQ6J","Keywords":"9259400833873739776","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7036,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":53436,"ExecutionProcessID":572,"ExecutionThreadID":1864,"Channel":"System","Message":"The Software Protection service entered the running state.","param1":"Software Protection","param2":"running","EventReceivedTime":"2019-07-10 14:48:08","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"}
Either way, your SIEM will need to know how to parse the message to extract the EventID
.
That should get you in the right direction.