Configuration to send Windows Security Logs only

#1 cwalter 7 years ago

Hello, I am testing nxlog to see if it works with sending security logs to our SIEM. I only want to send the security Events on our servers, and have our config file as shown:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
Module xm_syslog
</Extension>

<Input internal>
Module im_internal
</Input>

<Input eventlog>
    Module im_msvistalog
# Uncomment the following to collect specific event logs only
     Query <QueryList>\
               <Query Id="0">\
#                  <Select Path="Application">*</Select>\
#                  <Select Path="System">*</Select>\
                   <Select Path="Security">*</Select>\
               </Query>\
           </QueryList>
</Input>

<Output out>
    Module      om_udp
    Host        10.250.254.19
    Port        514
    Exec        to_syslog_snare();
</Output>

<Route 1>
Path eventlog, internal => out
</Route>

I get some security logs, but many are missing, like logon/logoff events (4624, 4634)

1. - why are these events missing and

2. Eventually, I would like to only send certain Event ID"s to our SIEM, and hope to get help with an example of what the query would look like with the specific Event ID's needed.

I will want to just send PCI Event ID's to our SEIM for retention.

Permalink

#2 adm Nxlog ✓ 7 years ago

#1 cwalter

Hello, I am testing nxlog to see if it works with sending security logs to our SIEM. I only want to send the security Events on our servers, and have our config file as shown: define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog> Module xm_syslog </Extension> <Input internal> Module im_internal </Input> <Input eventlog> Module im_msvistalog # Uncomment the following to collect specific event logs only Query <QueryList>\ <Query Id="0">\ # <Select Path="Application">*</Select>\ # <Select Path="System">*</Select>\ <Select Path="Security">*</Select>\ </Query>\ </QueryList> </Input> <Output out> Module om_udp Host 10.250.254.19 Port 514 Exec to_syslog_snare(); </Output> <Route 1> Path eventlog, internal => out </Route> I get some security logs, but many are missing, like logon/logoff events (4624, 4634) 1. - why are these events missing and 2. Eventually, I would like to only send certain Event ID"s to our SIEM, and hope to get help with an example of what the query would look like with the specific Event ID's needed. I will want to just send PCI Event ID's to our SEIM for retention.

You can filter on specific event ids using the appropriate query xml. You can test and then copy from Event Viewer.

E.g.:

<QueryXML>
   <QueryList>                     
     <Query Id="0">  
        <Select Path="Security">*[System[(EventID=EventID=42 or EventID=4242)]]</Select>
     </Query>
   </QueryList>
</QueryXML>

AFAIK the missing events are caused by a permissions setting problem on the DC and is not an issue with NXLog per se.