Request trial
Request Trial

Having some issues with xm_xml

Tags:
#1 Deleted user

Hello there, I am having some issues with NxLog using xm_xml. The regex seems to match fine, so I think it's something else. When I try to run it, I get a completely blank file. Here is my config

<Extension multiline>

Module xm_multiline
HeaderLine /^\s*&lt;Obj RefId=&quot;[0-9][0-9]?[0-9]?[0-9]?&quot;&gt;/
#EndLine /^\s*&lt;/entry&gt;/

</Extension>

<Extension _xml>

Module      xm_xml

</Extension>

<Extension _json>

Module      xm_json

</Extension>

<Input in3>

Module          im_file
File            &quot;C:\\Users\\administrator\\Desktop\\2016.xml&quot;
InputType       multiline
SavePos         FALSE
ReadFromLast    FALSE	
Exec			if $raw_event !~ /^\s*&lt;Obj RefId=&quot;[0-9][0-9]?[0-9]?[0-9]?&quot;&gt;/ drop();
Exec			parse_xml();
Exec			to_json();

</Input>

<Output out3>

Module		om_file
File		&quot;C:\\Users\\administrator\\Desktop\\testxml.txt&quot;

</Output>

Sample Data: <Obj RefId="0"> <TN RefId="0"> <T>System.Diagnostics.EventLogEntry#Security/Microsoft-Windows-Security-Auditing/4673</T> <T>System.Diagnostics.EventLogEntry#Security/Microsoft-Windows-Security-Auditing</T> <T>System.Diagnostics.EventLogEntry</T> <T>System.ComponentModel.Component</T> <T>System.MarshalByRefObject</T> <T>System.Object</T> </TN> <ToString>System.Diagnostics.EventLogEntry</ToString> <Props> <S N="MachineName">testServer.ad.testDomain.com</S> <BA N="Data" /> <I32 N="Index">447206</I32> <S N="Category">(13056)</S> <I16 N="CategoryNumber">13056</I16> <I32 N="EventID">4673</I32> <Obj N="EntryType" RefId="1"> <TN RefId="1"> <T>System.Diagnostics.EventLogEntryType</T> <T>System.Enum</T> <T>System.ValueType</T> <T>System.Object</T> </TN> <ToString>SuccessAudit</ToString> <I32>8</I32> </Obj> <S N="Message">A privileged service was called._x000D__x000A__x000D__x000A_Subject:_x000D__x000A__x0009_Security ID:_x0009__x0009_S-1-5-21-26028188-150678075-188441444-157239_x000D__x000A__x0009_Account Name:_x0009__x0009_testAccount_x000D__x000A__x0009_Account Domain:_x0009__x0009_testDomain_x000D__x000A__x0009_Logon ID:_x0009__x0009_0x2053a6e4_x000D__x000A__x000D__x000A_Service:_x000D__x000A__x0009_Server:_x0009_Security_x000D__x000A__x0009_Service Name:x0009-_x000D__x000A__x000D__x000A_Process:_x000D__x000A__x0009_Process ID:_x0009_0x1770_x000D__x000A__x0009_Process Name:_x0009_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe_x000D__x000A__x000D__x000A_Service Request Information:_x000D__x000A__x0009_Privileges:_x0009__x0009_SeCreateGlobalPrivilege</S> <S N="Source">Microsoft-Windows-Security-Auditing</S> <Obj N="ReplacementStrings" RefId="2"> <TN RefId="2"> <T>System.String[]</T> <T>System.Array</T> <T>System.Object</T> </TN> <LST> <S>S-1-5-21-26028188-150678075-188441444-157239</S> <S>testAccount</S> <S>testDomain</S> <S>0x2053a6e4</S> <S>Security</S> <S>-</S> <S>SeCreateGlobalPrivilege</S> <S>0x1770</S> <S>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</S> </LST> </Obj> <I64 N="InstanceId">4673</I64> <DT N="TimeGenerated">2018-08-14T08:34:37-04:00</DT> <DT N="TimeWritten">2018-08-14T08:34:37-04:00</DT> <Nil N="UserName" /> <Nil N="Site" /> <Nil N="Container" /> </Props> <MS> <I32 N="EventID">4673</I32> </MS> </Obj>

Permalink
#2 Zhengshi Nxlog ✓
#1 Deleted user
Hello there, I am having some issues with NxLog using xm_xml. The regex seems to match fine, so I think it's something else. When I try to run it, I get a completely blank file. Here is my config <Extension multiline> Module xm_multiline HeaderLine /^\s*&lt;Obj RefId=&quot;[0-9][0-9]?[0-9]?[0-9]?&quot;&gt;/ #EndLine /^\s*&lt;/entry&gt;/ </Extension> <Extension _xml> Module xm_xml </Extension> <Extension _json> Module xm_json </Extension> <Input in3> Module im_file File &quot;C:\\Users\\administrator\\Desktop\\2016.xml&quot; InputType multiline SavePos FALSE ReadFromLast FALSE Exec if $raw_event !~ /^\s*&lt;Obj RefId=&quot;[0-9][0-9]?[0-9]?[0-9]?&quot;&gt;/ drop(); Exec parse_xml(); Exec to_json(); </Input> <Output out3> Module om_file File &quot;C:\\Users\\administrator\\Desktop\\testxml.txt&quot; </Output> Sample Data: <Obj RefId="0"> <TN RefId="0"> <T>System.Diagnostics.EventLogEntry#Security/Microsoft-Windows-Security-Auditing/4673</T> <T>System.Diagnostics.EventLogEntry#Security/Microsoft-Windows-Security-Auditing</T> <T>System.Diagnostics.EventLogEntry</T> <T>System.ComponentModel.Component</T> <T>System.MarshalByRefObject</T> <T>System.Object</T> </TN> <ToString>System.Diagnostics.EventLogEntry</ToString> <Props> <S N="MachineName">testServer.ad.testDomain.com</S> <BA N="Data" /> <I32 N="Index">447206</I32> <S N="Category">(13056)</S> <I16 N="CategoryNumber">13056</I16> <I32 N="EventID">4673</I32> <Obj N="EntryType" RefId="1"> <TN RefId="1"> <T>System.Diagnostics.EventLogEntryType</T> <T>System.Enum</T> <T>System.ValueType</T> <T>System.Object</T> </TN> <ToString>SuccessAudit</ToString> <I32>8</I32> </Obj> <S N="Message">A privileged service was called._x000D__x000A__x000D__x000A_Subject:_x000D__x000A__x0009_Security ID:_x0009__x0009_S-1-5-21-26028188-150678075-188441444-157239_x000D__x000A__x0009_Account Name:_x0009__x0009_testAccount_x000D__x000A__x0009_Account Domain:_x0009__x0009_testDomain_x000D__x000A__x0009_Logon ID:_x0009__x0009_0x2053a6e4_x000D__x000A__x000D__x000A_Service:_x000D__x000A__x0009_Server:_x0009_Security_x000D__x000A__x0009_Service Name:x0009-_x000D__x000A__x000D__x000A_Process:_x000D__x000A__x0009_Process ID:_x0009_0x1770_x000D__x000A__x0009_Process Name:_x0009_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe_x000D__x000A__x000D__x000A_Service Request Information:_x000D__x000A__x0009_Privileges:_x0009__x0009_SeCreateGlobalPrivilege</S> <S N="Source">Microsoft-Windows-Security-Auditing</S> <Obj N="ReplacementStrings" RefId="2"> <TN RefId="2"> <T>System.String[]</T> <T>System.Array</T> <T>System.Object</T> </TN> <LST> <S>S-1-5-21-26028188-150678075-188441444-157239</S> <S>testAccount</S> <S>testDomain</S> <S>0x2053a6e4</S> <S>Security</S> <S>-</S> <S>SeCreateGlobalPrivilege</S> <S>0x1770</S> <S>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</S> </LST> </Obj> <I64 N="InstanceId">4673</I64> <DT N="TimeGenerated">2018-08-14T08:34:37-04:00</DT> <DT N="TimeWritten">2018-08-14T08:34:37-04:00</DT> <Nil N="UserName" /> <Nil N="Site" /> <Nil N="Container" /> </Props> <MS> <I32 N="EventID">4673</I32> </MS> </Obj>

I ran a test using your input and config. I changed the file locations but left everything else the same. I received the output below.
Maybe the file locations are not accurate?
Could be the user that the NXLog service is running as doesn't have access to the admin directory. You might try copying the files to your temp directory and running it from the foreground so you can watch in real time.

  1. Stop the service
  2. run nxlog -f from inside the nxlog install directory

You could also check the nxlog log files to see if there are any errors that may give you more details.

{
  "EventReceivedTime": "2018-08-16T10:27:08.986309-05:00",
  "SourceModuleName": "in3",
  "SourceModuleType": "im_file",
  "Obj.TN.T": "System.Object",
  "Obj.ToString": "System.Diagnostics.EventLogEntry",
  "Obj.Props.S": "Microsoft-Windows-Security-Auditing",
  "Obj.Props.I32": "4673",
  "Obj.Props.I16": "13056",
  "Obj.Props.Obj.TN.T": "System.Object",
  "Obj.Props.Obj.ToString": "SuccessAudit",
  "Obj.Props.Obj.I32": "8",
  "Obj.Props.Obj.LST.S": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
  "Obj.Props.I64": "4673",
  "Obj.Props.DT": "2018-08-14T08:34:37-04:00",
  "Obj.MS.I32": "4673"
}
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS