For reading native Windows Event Log files in
.evtx format, we need the NXLog Enterprise Edition agent.
If you are not already an NXLog customer, visit the NXLog Enterprise Edition Downloads page and select NXLog Enterprise Edition v5 trial from the dropdown menu.
With NXLog EE installed and running on a Windows machine, we can update its configuration file shown below to load the Windows (im_msvistalog) input module that supports
In this configuration, the 266
.evtx files representing our test sample of Windows security events were copied from their respective directories in the Git repository to a single directory on our Windows host.
Changes to an existing
nxlog.conf file will not take effect until you manually restart the Windows
nxlog service under Windows Services.
The JSON (xm_json) JSON extension module is loaded to enable the procedure call to be invoked for converting the events on the fly to JSON.
The Raijin (om_raijin) output module receives the JSON records and sends them to the Raijin server, database, and table specified in the module instance.
File "C:\\Program Files\\nxlog\\data\\EVTX-ATTACK-SAMPLES\\*.evtx"
# SavePos FALSE
In this post, we are only looking at a groomed collection of Windows events specific to intrusion detection.
Once our setup is fully configured to detect a wider variety of Windows events associated with cyberattacks, we would add an additional Windows input module (im_etw) that is capable of directly connecting to Event Tracing for Windows (ETW).
This module can collect Windows Debug and Analytical channels that are otherwise not available to regular, non-ETW modules and software which are limited to reading only the standard Windows Event Log channels.