NXLog User Guide
- Introduction
- Deployment
- Configuration
- OS Support
- Integration
- 42. Amazon Web Services (AWS)
- 43. Apache HTTP Server
- 44. Apache NiFi
- 45. Apache Tomcat
- 46. APC Automatic Transfer Switch
- 47. Apple macOS kernel
- 48. ArcSight Common Event Format (CEF)
- 49. Box
- 50. Brocade switches
- 51. Browser History Logs
- 52. Check Point
- 53. Cisco ACS
- 54. Cisco ASA
- 55. Cisco FireSIGHT
- 56. Cisco IPS
- 57. Cloud Instance Metadata
- 58. Common Event Expression (CEE)
- 59. Dell EqualLogic
- 60. Dell iDRAC
- 61. Dell PowerVault MD series
- 62. Devo
- 63. DHCP logs
- 64. DNS Monitoring
- 65. Docker
- 66. Elastic Cloud
- 67. Elastic Common Schema (ECS)
- 68. Elasticsearch and Kibana
- 69. F5 BIG-IP
- 70. File Integrity Monitoring
- 71. FreeRADIUS
- 72. General Electric CIMPLICITY
- 73. Google Chronicle
- 74. Graylog
- 75. HP ProCurve
- 76. IBM QRadar SIEM
- 77. Industrial Control Systems
- 78. Kubernetes
- 79. Linux Audit System
- 80. Linux system logs
- 81. Log Event Extended Format (LEEF)
- 82. LogPoint
- 83. Logstash
- 84. McAfee Enterprise Security Manager (ESM)
- 85. McAfee ePolicy Orchestrator
- 86. Micro Focus ArcSight Logger
- 87. Microsoft Active Directory Domain Controller
- 88. Microsoft Azure
- 89. Microsoft Azure Event Hubs
- 90. Microsoft Azure Sentinel
- 91. Microsoft Defender for Identity
- 92. Microsoft Exchange
- 93. Microsoft IIS
- 94. Microsoft SharePoint
- 95. Microsoft SQL Server
- 96. Microsoft System Center Endpoint Protection
- 97. Microsoft System Center Configuration Manager
- 98. Microsoft System Center Operations Manager
- 99. MongoDB
- 100. Nagios Log Server
- 101. Nessus Vulnerability Scanner
- 102. NetApp
- 103. .NET application logs
- 104. Nginx
- 105. Okta
- 106. Oracle Database
- 107. Osquery
- 108. Postfix
- 109. Promise
- 110. Raijin Database Engine
- 111. Rapid7 InsightIDR SIEM
- 112. RSA NetWitness
- 113. SafeNet KeySecure
- 114. Salesforce
- 115. SAP
- 116. Schneider Electric Citect SCADA
- 117. Siemens SICAM SCC
- 118. Siemens SIMATIC PCS 7
- 119. Snare
- 120. Snort
- 121. Solarwinds Loggly
- 122. Splunk
- 123. Sumo Logic
- 124. Symantec Endpoint Protection
- 125. Synology DiskStation
- 126. Syslog
- 127. Sysmon
- 128. Ubiquiti UniFi
- 129. VMware vCenter
- 130. Windows AppLocker
- 131. Windows Command Line Auditing
- 132. Windows Event Log
- 133. Windows Firewall
- 134. Windows Group Policy
- 135. Windows Management Instrumentation (WMI)
- 136. Windows PowerShell
- 137. Windows Security audit
- 138. Windows Time service
- 139. Microsoft Windows Update
- 140. Windows USB auditing
- 141. YOKOGAWA FAST/TOOLS
- 142. Zeek (formerly Bro) Network Security Monitor
- Troubleshooting
- Enterprise Edition Reference Manual
- NXLog Manager
- NXLog Add-Ons
132.5. Forwarding Event Log Data
After collecting the Event Log data from a Windows system with NXLog, it may need to be sent to another host. This section provides details and examples for configuring this.
Event descriptions in Event Log data may contain tabs and newlines, but these are not supported by some formats like BSD Syslog. In this case, a regular expression can be used to remove them.
This input instance is configured to modify the $Message field (the
event description) by replacing all tab characters and newline
sequences with spaces.
![[Download file]](images/icons/download_icon.png "Download file"){kind=icon}
1
2
3
4
<Input in>
Module im_mseventlog
Exec $Message =~ s/(\t|\R)/ /g;
</Input>
132.5.1. Forwarding Event Log in BSD Syslog format
Event Log data is commonly sent in the BSD Syslog format. This can be generated with the to_syslog_bsd() procedure provided by the xm_syslog module. For more information, see Sending Syslog to a Remote Logger via UDP, TCP, or TLS.
This example configuration removes tab characters and newline
sequences from the $Message field, converts the event record to BSD
Syslog format, and forwards the event via UDP.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
<Extension _syslog>
Module xm_syslog
</Extension>
<Input eventlog>
Module im_msvistalog
Exec $Message =~ s/(\t|\R)/ /g; to_syslog_bsd();
</Input>
<Output udp>
Module om_udp
Host 10.10.1.1
Port 514
</Output>
|
Note
|
The to_syslog_bsd() procedure will use only a subset of the Event Log fields. |
<14>Jan 2 10:21:16 win7host Service_Control_Manager[448]: The Computer Browser service entered the running state.132.5.2. Forwarding Windows Event Log in JSON format
To preserve all event log fields, the logs can be formatted as JSON. The xm_json module provides a to_json() procedure for this purpose. For more information about generating logs in JSON format, see JSON.
This example configuration converts the event record to JSON format and forwards the event via TCP.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
<Extension _json>
Module xm_json
</Extension>
<Input eventlog>
Module im_msvistalog
Exec to_json();
</Input>
<Output tcp>
Module om_tcp
Host 192.168.10.1
Port 1514
</Output>
{
"EventTime": "2017-01-02 10:21:16",
"Hostname": "win7host",
"Keywords": -9187343239835812000,
"EventType": "INFO",
"SeverityValue": 2,
"Severity": "INFO",
"EventID": 7036,
"SourceName": "Service Control Manager",
"ProviderGuid": "{525908D1-A6D5-5695-8E2E-26921D2011F3}",
"Version": 0,
"Task": 0,
"OpcodeValue": 0,
"RecordNumber": 2629,
"ProcessID": 448,
"ThreadID": 2872,
"Channel": "System",
"Message": "The Computer Browser service entered the running state.",
"param1": "Computer Browser",
"param2": "running",
"EventReceivedTime": "2017-01-02 10:21:17",
"SourceModuleName": "eventlog",
"SourceModuleType": "im_msvistalog"
}For compatibility with logging systems that require BSD Syslog, the JSON format can be used with a BSD Syslog header.
This example configuration converts the event record to JSON, adds a BSD Syslog header, and forwards the event via UDP.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<Extension _json>
Module xm_json
</Extension>
<Extension _syslog>
Module xm_syslog
</Extension>
<Input eventlog>
Module im_msvistalog
Exec $Message = to_json(); to_syslog_bsd();
</Input>
<Output udp>
Module om_udp
Host 192.168.2.1
Port 514
</Output>
<14>Jan 2 10:21:16 win7host Service_Control_Manager[448]: {"EventTime":"2017-01-02 10:21:16","Hostname":"win7host","Keywords":-9187343239835811840,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7036,"SourceName":"Service Control Manager","ProviderGuid":"{525908D1-A6D5-5695-8E2E-26921D2011F3}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":2629,"ProcessID":448,"ThreadID":2872,"Channel":"System","Message":"The Computer Browser service entered the running state.","param1":"Computer Browser","param2":"running","EventReceivedTime":"2017-01-02 10:21:17","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"}132.5.3. Forwarding Windows Event Log in the Snare format
The Snare format is often used for Windows Event Log data. The xm_syslog module includes a to_syslog_snare() procedure which can generate the Snare format with a Syslog header. For more information about the Snare format, see Snare.
This example configuration removes tab characters and newline
sequences from the $Message field, converts the event record to the
Snare over Syslog format, and forwards the event via UDP.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
<Extension _syslog>
Module xm_syslog
</Extension>
<Input eventlog>
Module im_msvistalog
Exec $Message =~ s/(\t|\R)/ /g; to_syslog_snare();
</Input>
<Output snare>
Module om_udp
Host 192.168.1.1
Port 514
</Output>
<14>Jan 2 10:21:16 win7host MSWinEventLog⇥1⇥System⇥193⇥Mon Jan 02 10:21:16 2017⇥7036⇥Service Control Manager⇥N/A⇥N/A⇥Information⇥win7host⇥N/A⇥⇥The Computer Browser service entered the running state.⇥2773