1
response

Hello there, I am having some issues with NxLog using xm_xml. The regex seems to match fine, so I think it's something else. When I try to run it, I get a completely blank file. Here is my config

<Extension multiline>

Module xm_multiline
HeaderLine /^\s*<Obj RefId="[0-9][0-9]?[0-9]?[0-9]?">/
#EndLine /^\s*</entry>/

</Extension>

<Extension _xml>

Module xm_xml

</Extension>

<Extension _json>

Module xm_json

</Extension>

<Input in3>

Module im_file
File "C:\\Users\\administrator\\Desktop\\2016.xml"
InputType multiline
SavePos FALSE
ReadFromLast FALSE
Exec if $raw_event !~ /^\s*<Obj RefId="[0-9][0-9]?[0-9]?[0-9]?">/ drop();
Exec parse_xml();
Exec to_json();

</Input>

<Output out3>

Module om_file
File "C:\\Users\\administrator\\Desktop\\testxml.txt"

</Output>

Sample Data:
<Obj RefId="0">
<TN RefId="0">
<T>System.Diagnostics.EventLogEntry#Security/Microsoft-Windows-Security-Auditing/4673</T>
<T>System.Diagnostics.EventLogEntry#Security/Microsoft-Windows-Security-Auditing</T>
<T>System.Diagnostics.EventLogEntry</T>
<T>System.ComponentModel.Component</T>
<T>System.MarshalByRefObject</T>
<T>System.Object</T>
</TN>
<ToString>System.Diagnostics.EventLogEntry</ToString>
<Props>
<S N="MachineName">testServer.ad.testDomain.com</S>
<BA N="Data" />
<I32 N="Index">447206</I32>
<S N="Category">(13056)</S>
<I16 N="CategoryNumber">13056</I16>
<I32 N="EventID">4673</I32>
<Obj N="EntryType" RefId="1">
<TN RefId="1">
<T>System.Diagnostics.EventLogEntryType</T>
<T>System.Enum</T>
<T>System.ValueType</T>
<T>System.Object</T>
</TN>
<ToString>SuccessAudit</ToString>
<I32>8</I32>
</Obj>
<S N="Message">A privileged service was called._x000D__x000A__x000D__x000A_Subject:_x000D__x000A__x0009_Security ID:_x0009__x0009_S-1-5-21-26028188-150678075-188441444-157239_x000D__x000A__x0009_Account Name:_x0009__x0009_testAccount_x000D__x000A__x0009_Account Domain:_x0009__x0009_testDomain_x000D__x000A__x0009_Logon ID:_x0009__x0009_0x2053a6e4_x000D__x000A__x000D__x000A_Service:_x000D__x000A__x0009_Server:_x0009_Security_x000D__x000A__x0009_Service Name:_x0009_-_x000D__x000A__x000D__x000A_Process:_x000D__x000A__x0009_Process ID:_x0009_0x1770_x000D__x000A__x0009_Process Name:_x0009_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe_x000D__x000A__x000D__x000A_Service Request Information:_x000D__x000A__x0009_Privileges:_x0009__x0009_SeCreateGlobalPrivilege</S>
<S N="Source">Microsoft-Windows-Security-Auditing</S>
<Obj N="ReplacementStrings" RefId="2">
<TN RefId="2">
<T>System.String[]</T>
<T>System.Array</T>
<T>System.Object</T>
</TN>
<LST>
<S>S-1-5-21-26028188-150678075-188441444-157239</S>
<S>testAccount</S>
<S>testDomain</S>
<S>0x2053a6e4</S>
<S>Security</S>
<S>-</S>
<S>SeCreateGlobalPrivilege</S>
<S>0x1770</S>
<S>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</S>
</LST>
</Obj>
<I64 N="InstanceId">4673</I64>
<DT N="TimeGenerated">2018-08-14T08:34:37-04:00</DT>
<DT N="TimeWritten">2018-08-14T08:34:37-04:00</DT>
<Nil N="UserName" />
<Nil N="Site" />
<Nil N="Container" />
</Props>
<MS>
<I32 N="EventID">4673</I32>
</MS>
</Obj>

AskedAugust 14, 2018 - 10:00pm

Comments (1)

  • Zhengshi's picture
    (NXLog)

    I ran a test using your input and config. I changed the file locations but left everything else the same. I received the output below.
    Maybe the file locations are not accurate?
    Could be the user that the NXLog service is running as doesn't have access to the admin directory. You might try copying the files to your temp directory and running it from the foreground so you can watch in real time.

    1. Stop the service
    2. run nxlog -f from inside the nxlog install directory

    You could also check the nxlog log files to see if there are any errors that may give you more details.

    {
      "EventReceivedTime": "2018-08-16T10:27:08.986309-05:00",
      "SourceModuleName": "in3",
      "SourceModuleType": "im_file",
      "Obj.TN.T": "System.Object",
      "Obj.ToString": "System.Diagnostics.EventLogEntry",
      "Obj.Props.S": "Microsoft-Windows-Security-Auditing",
      "Obj.Props.I32": "4673",
      "Obj.Props.I16": "13056",
      "Obj.Props.Obj.TN.T": "System.Object",
      "Obj.Props.Obj.ToString": "SuccessAudit",
      "Obj.Props.Obj.I32": "8",
      "Obj.Props.Obj.LST.S": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "Obj.Props.I64": "4673",
      "Obj.Props.DT": "2018-08-14T08:34:37-04:00",
      "Obj.MS.I32": "4673"
    }
    

Answers (0)