3
responses

Hello,  I am testing nxlog to see if it works with sending security logs to our SIEM.  I only want to send the security Events on our servers, and have our config file as shown:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
    Module xm_syslog
</Extension>

<Input internal>
    Module im_internal
</Input>

<Input eventlog>
    Module im_msvistalog
# Uncomment the following to collect specific event logs only
     Query <QueryList>\
               <Query Id="0">\
#                  <Select Path="Application">*</Select>\
#                  <Select Path="System">*</Select>\
                   <Select Path="Security">*</Select>\
               </Query>\
           </QueryList>  
</Input>

<Output out>
    Module      om_udp
    Host        10.250.254.19
    Port        514
    Exec        to_syslog_snare();
</Output>

<Route 1>
    Path        eventlog, internal => out
</Route>

 

I get some security logs, but many are missing, like logon/logoff events (4624, 4634) 

1. - why are these events missing   and

2.  Eventually, I would like to only send certain Event ID"s to our SIEM, and hope to get help with an example of what the query would look like with the specific Event ID's needed.

I will want to just send PCI Event ID's to our SEIM for retention.

AskedJuly 1, 2016 - 6:41pm

Answer (1)

You can filter on specific event ids using the appropriate query xml. You can test and then copy from Event Viewer.

E.g.:

<QueryXML>
   <QueryList>                     
     <Query Id="0">  
        <Select Path="Security">*[System[(EventID=EventID=42 or EventID=4242)]]</Select>
     </Query>
   </QueryList>
</QueryXML>

AFAIK the missing events are caused by a permissions setting problem on the DC and is not an issue with NXLog per se.

Comments (2)

  • adm's picture
    (NXLog)

    On Windows it runs under the System account by default, though this can be configured with some effort to be more restrictive.

    I'm not exactly sure on the correct solution but I have seen this issue pop up in various forums with hints to DC and permissions. It's usually an all-or-nothing problem wrt the Security log and not affecting specific events only.

    There are some suggestions related to Windows Event Forwarding such as this that talk about adding the NetworkService account to the Event Log Readers group but afaik this is not relevant in this case, though there are other tips there which might solve it. Especially see the "Security Event Log Forwarding on Domain Controllers" section towards the end on this page.

    If you figure it out please post the solution here for future reference.