I want to store my logs in .evtx file in windows. I tried following configuration.

<Output out2>    
    Module      om_file
  File     '%ROOT%\tmp\test.evtx'


This created evtx file but it was also opening with notepad, wordpad,etc. For security purpose, I want to make it open with MS EventViewer API only.

Is this possible using nxlog om_file module? Is there any plugin for nxlog to store data in .evtx files?

AskedNovember 9, 2016 - 11:23am

Answer (1)

There is no support for writing .evtx files in NXLog currently.

im_file can write both text or binary data but it needs to be in the correct format. EVTX is a proprietary binary format and only the Windows Eventlog API can write this.

Just because evtx can not be opened with a text viewer does not mean your data is more secure. You should have proper access control in place instead of trying to hide data in a binary format.

Comments (2)

  • b0ti's picture

    The NXLog EE has a processor module called pm_hmac that adds a rolling checksum to each log message as well as pm_ts which can use an external timestamp authority server.

    Other than that you could integrate an external solution that protects the log files when they are rotated.

    There are many solutions that could be possibly used to do what you want. For example on Linux files can be set to immutable using chattr that will prevent further modifications to a file.  This can be also implemented using special hardware. A cheap example is writing data to DVD that can be only written once.

    You should define the requirements on what you want to protect against.