Import .evt files

Post a different question
6
responses

Hello,

Is there a way to import .evt files with nxlog? Using im_file doesn't throw errors, but data doesnt seem to ship.

I also tried using:

module im_mseventlog
file "file_path"

but that didn't work either.

Thanks for your help.

AskedJuly 20, 2018 - 4:46pm

Answers (2)

Please see the manual for descriptions of the directives.
Note that in this example I have everything in the default locations.
To find the event log files, right click on the logs inside of EventLog and choose properties.
For System, this gave me %SystemRoot%\System32\Winevt\Logs\System.evtx

<Input eventlog>
    Module  im_msvistalog
    File    C:\Windows\System32\winevt\Logs\system.evtx
</Input>

<Output output>
    Module  om_file
    File    "C:\Windows\Temp\evt.log"
    Exec    to_json();
</Output>

If this is not working for you, it is possible that the path is incorrect or there is something else going on. In the case of errors, nxlog.log should produce something to go off of, or running the service from command line with nxlog -f after stopping the service sc stop nxlog.

AnsweredJuly 20, 2018 - 5:17pm

Comments (4)

  • motts's picture

    Thanks for your response. Here is my conf that I tried.

    <Extension json>
    Module xm_json
    </Extension>

    <Input in>
    Module im_mseventlog
    File "C:\\Users\\Administrator\\Desktop\\Server2003Security.evt"
    Exec to_json();
    </Input>

    <Output out2>
    Module om_file
    File "C:\\Users\\Administrator\\Desktop\\windowsevents.txt"
    </Output>

    <Route out2>
    Path in => out2
    </Route>

    This however throws errors stating there are configuration errors in module 'in'. If I change the input module to im_file, not errors are thrown, but no data is sent.

    July 20, 2018 - 6:19pm
  • Zhengshi's picture
    (NXLog)

    Would need to see full logs and know which version of NXLog EE you are running to get any further. The logs should state specifically what the issue is and where the configuration error is.

    July 20, 2018 - 6:46pm
  • motts's picture

    I have the Community Edition.

    Here is the error I get when I use im_mseventlog and the File argument.

    2018-07-20 12:48:23 ERROR invalid keyword: File at C:\Program Files (x86)\nxlog\
    conf\nxlog.conf:26

    Line 26 is the File argument

    File "C:\\Users\\Administrator\\Desktop\\Server2003Security.evt"

    Here is the properties of the file when I right click, properties

    C:\Users\Administrator\Desktop\Server2003Security.evt

    The file should have doube \\ but I tried \ instead, and it also returned error

    July 20, 2018 - 7:03pm
  • Zhengshi's picture
    (NXLog)

    Ok that explains the discrepancy then. The File directive is only valid in the EE edition, and not CE.

    https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#im_mseventlog

    July 20, 2018 - 7:16pm