Hy! Sometimes one has to analyze Microsoft events containing EventData fields including Data fields without name, or let's say unnamed Data fields, e.g. EventID 2889 - unsigned LDAP requests. ``` - - 2889 0 4 16 0 0x8080000000000000 242410 Directory Service PC1.DOMAINXY.local - 172.172.172.172:33426 DOMAINXY\USERXY 0 ``` Simply sending this to syslog works like charm. But in this case I woul like to get the values from all three fields into $raw_event with a special text,like: ``` define EventID_2889_REGEX /(?x) \ (?(^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$)) \ (?([\w\d]+)) \ (?(\d+))/ Module im_msvistalog Query \ \ *[System[(EventID=2889)]]\ \ Exec $EventData =~ %EventID_2889_REGEX%; Exec $raw_event = "Unsigned or simple non TLS LDAP bind request: [" + $EventData + "]"; Exec $SyslogFacilityValue = 21; Exec $SyslogFacility = "LOCAL5"; Exec $ProcessID = $SubjectUserName; Exec $SourceName = "2889"; Exec parse_syslog_ietf(); Exec to_syslog_ietf(); ``` I tried a lot, read the NXLog CE documentation hints, googled for days now...to list it all up here would explode the forum ;-) Could you please give me some hints how to process these values? Maybe this is not even possible in NXLog CE, see https://nxlog.co/question/4158/windows-eventdata-not-captured? Thanks in advance!

As mentioned in this thread: https://nxlog.co/question/4158/windows-eventdata-not-captured , you would need NXLog EE to do this.

~MisaZ