responses
Hi, I recently started using Nxlog with Windows event log.
I'm able to get events off of the Security log and onto my server, however, I've noticed something peculiar.
The value of the 'ProcessID' field is always 4, no matter what process is generating the event.
My nxlog.conf has the following sections:
<Extension json> Module xm_json </Extension> <Input security_log> Module im_msvistalog SavePos TRUE ReadFromLast TRUE Channel Security Query * </Input> <Output out> Module om_tcp Host 10.1.11.50 Port 9000 Exec to_json(); </Output> <Route 1> Path security_log => out </Route>
And the resulting output looks like:
{ "EventTime":"2016-01-18 10:32:13", "Hostname":"dev-collector.dev.local", "Keywords":-9214364837600034816, "EventType":"AUDIT_SUCCESS", "SeverityValue":2, "Severity":"INFO", "EventID":4689, "SourceName":"Microsoft-Windows-Security-Auditing", "ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}", "Version":0, "Task":13313, "OpcodeValue":0, "RecordNumber":355, "ProcessID":4, "ThreadID":48, "Channel":"Security", "Message":"A process has exited.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-3503561835-834928460-339998367-1000\r\n\tAccount Name:\t\tachung\r\n\tAccount Domain:\t\tDEV-COLLECTOR\r\n\tLogon ID:\t\t0x727518c\r\n\r\nProcess Information:\r\n\tProcess ID:\t0xb64\r\n\tProcess Name:\tC:\\Windows\\System32\\calc.exe\r\n\tExit Status:\t0x0", "Category":"Process Termination", "Opcode":"Info", "SubjectUserSid":"S-1-5-21-3503561835-834928460-339998367-1000", "SubjectUserName":"achung", "SubjectDomainName":"DEV-COLLECTOR", "SubjectLogonId":"0x727518c", "Status":"0x0", "ProcessName":"C:\\Windows\\System32\\calc.exe", "EventReceivedTime":"2016-01-18 10:32:14", "SourceModuleName":"security_log", "SourceModuleType":"im_msvistalog" }
The value of the "ProcessID" field is 4, when it should be 2916 (0xb64), as shown in the "Message" field. Is this a configuration issue or possibly a bug with one of the modules?
Thanks,
Allen
Comments (5)
Thank you for your reply. Would it be possible to distinguish the two and have both as a field?
Perhaps edit nxlog.conf to something like:
It's not possible to do this from the conf because the field names are set by the module when the data is parsed.
Good to hear this is being worked on!
In terms of implementation, guessing you already have this in mind, but it might be worth considering:
Cheers!
You can also extract this data from $Message field with some regex and parse_kvp magic
The NXLog EE beta now sets the field `ExecutionProcessID` in order to avoid the conflict. There is also an additional configuration option `AddPrefix` so that fields under `EventData` are collected as `EventData.ProcessID`.