I am trying to collect Windows Defender Eventlogs on our win clients and forward them to our central log server (graylog).

I have included the Windows Defender Log in the config files search query like this:
<Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>\

This seems to work basically as there are messages coming through to the logserver (mostly of EventID 1150/1151) but the important ones (1116,1117,...) dont show up.
I already tried to select 1116 and 1117 specifically in the query and provoked some entries of that type, but to no avail. The events are in the eventlog, but they dont make it out of the client system.

Searching the web didn't get me anywhere either, so i'm trying my luck with the nxlog community.

Any help would be very much appreciated!

AskedAugust 21, 2018 - 2:21pm

Comments (4)

  • Zhengshi's picture

    I would create a new route with im_msvistalog to om_file and set ReadFromLast and SavePos to false, then check for their inclusion in the text file.
    It is possible that 1116 and 1117 ( MALWAREPROTECTION_STATE_MALWARE_DETECTED and MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN) haven't occurred since you started NXLog. It is also possible that your central syslog server is rejecting them for some reason.

  • taxter's picture

    Thank you very much for the quick reply!
    I tried what you suggested and in the log file I can see all of the desired eventlogs, just as they are seen in windows event viewer.
    So the problem is either in the vistalog module or somewhere on the way to the logserver.
    I'm using a very basic setting like this one
    <Output graylog>
    Module om_udp
    Port 5414
    OutputType GELF
    to get my messages to the logserver. I dont see any such "missing" events with the other channels (Application, Security, System ...).
    How can I narrow it down further to pinpoint the actual problem?


  • Zhengshi's picture

    So the problem is either in the vistalog module or somewhere on the way to the logserver.

    Since you are seeing the proper events in the output text file, im_msvistalog is working correctly. It is still possible that you have not gotten those two events since NXLog was started.
    At this point, creating a 1116 or 1117 event manually and running a wireshark, tcpdump, or similar may be useful. That will help you see where the packets are going. If they are created and sent then it would be the graylog server not receiving them.

    Hopefully this is enough to help you find the culprit.

  • taxter's picture

    right, good point (and wrong thinking on my end) - im_msvistalog is involved the same way when writing to file!

    thanks again for the pointers, i'll try to go after this on the network level.

Answers (0)