11
responses

Has anyone succeed in sending .evt file content to graylog ?

Actually, I found that:

 - Using im_file module I can parse .evt file and send its content outside, but logs are bad formatted

 - Using im_vistalog module I can't parse .evt files only the Windows Event log, but logs are well formatted

Any advice someone ?

Maybe it is possible to send the ouput of im_file to im_vistalog ?

Thanks,
--
Mathieu

AskedJune 3, 2016 - 5:58pm

Answers (2)

.evt and .evtx files are in special binary format, collecting this with im_file will not work. The NXLog Enterprise Edition can read .evtx files directly with the im_msvistalog module.

Comments (5)

  • mathieurv's picture

    Thank you for your answer, I just give a try to the enterprise edition.

    Could you please help with the syntax ?

    I don't know where to put the path to the event log files.

  • mathieurv's picture

    Great, thank you for the answer.

    So now, when I write the full path to the log file it works OK:

    File C:\TMP\adtlog.20160529205605.evt

     

    But, I'm actually trying to use the wildcard character * in the file path, but no luck, the error is:

    I'm actually trying to use the wildcard character * in the file path with no luck, the error is:

    ERROR failed to subscribe to msvistalog events,the Query is invalid:  [error code: 123]

     

    I followed the documentation here : https://nxlog.co/docs/en/nxlog-reference-manual.html#im_file_config_file

    And saw that another guy had the same problem : https://nxlog.co/question/945/directory-wildcardsfollowing

     

    I tried the following with the wildcard * without success:

    File C:\TMP\\*.evt
    File C:\\TMP\\*.evt
    File "C:\\TMP\\\\*.evt"

     

    Could you please explain my mistake ?

    Best regards,

    Mathieu

  • adm's picture
    (NXLog)

    Wildcards are not supported by the File directive of im_msvistalog yet. If you have multiple files then you should define a new module instance for each file.

    Note that the File directive not intended as an eventlog monitoring facility as it cannot pick up newly added records either. This is only for the use-case when you have an evtx file that you want to parse once for audit/forensics purposes.

  • mathieurv's picture

    Hello thank you for the answer,

    Well my NetApp filer generates everday, 70 .evt files for a total of 20GB size, the name is generated automatically based on the date and the timestamp when a new file is created.

    My idea was to use make a script in order to copy the evt files into a temporary location where NXlog will parse those files and forward the logs to our Graylog server.

    Or to simply ask NXlog to parse the location where NetApp store the evt files for new files and use the RenameCheck, SavePos and ReadFromLast parameters to automate things.

    I understand that it s not possible for the moment.

    Thank you again.

     

There is no reason and no advantage to parse .evtx files directly.

Use Windows Event Viewer as the source of your data. NXLog is very powerfull to push reliable your events using flow control when needed.

You have just to set  retention period of Event Viewer's Source of interest to a reasonable value according to your requirements.

 

Comments (4)

  • mathieurv's picture

    Thank you bourazaniss for your comment, but, please note that my question is, "I need to read .evt or .evtx files, how can I do ?", it is not "Why I don't need to read .evt or .evtx files" ...

    You will find my case very useful the day you will have to audit the CIFS log files of a NetApp filer.

  • bourazaniss's picture

    Sorry if you found my answer aggressive. I did't want to sound like that. My point is that if you can use event viewer directly and this is working ok, what is the advantage you have reading evtx files directly and you have to stick with that?

  • mathieurv's picture

    Well you are right I should have explained my problem further.

    When you want to audit the CIFS accesses made on the shares of a NetApp filer, you configure it to create ".evt" files, and you have no access to the file using an event viewer, no RPC, no WMI, just the .evt files.

    So it is the reason why I have to ask NXLog to parse the evt files and inject the events to my graylog server.

    The explanation I gave about retrieving events from the event viewer were just here as a proof that my setup was correct.

  • Bergdolt Pierre's picture

    Hello,

     

    for the netapp audit log you can also configure it to generate xm file log. Then you can (relatively) easily parse theses files with nxlog using regular expression and then get processed by graylog.