Some Windows events are missing their EventData section

#1 AmirG 5 years ago

Hello,

I'm using NXlog CE 2.10.2102 on a Win 2012 R2 x64 server to collect both the four default Windows logs and the Forwarded Events snd send to a Syslog server as Snare formatted. However, some events only contains their System segment, missing their entire EventData. For example, all of events 1000 and 1001 and all 4624 events with Kerberos login. 4624 with Advapi are passed just fine. I've no idea why is that, every idea would be welcomed.

Here's my configuration:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log LogLevel INFO

<Extension _syslog> Module xm_syslog </Extension>

<Input in> Module im_msvistalog <QueryXML> <QueryList>
<Query Id="0"> <Select Path="ForwardedEvents"></Select> <Select Path="Application"></Select> <Select Path="System"></Select> <Select Path="Security"></Select> </Query> </QueryList> </QueryXML> <Exec> $Message =~ s/(\t|\R)/ /g; to_syslog_snare(); </Exec> </Input>

<Output out> Module om_udp Host 1.2.3.4 </Output>

Permalink

#4 b0ti Nxlog ✓ 5 years ago

#1 AmirG

Hello, I'm using NXlog CE 2.10.2102 on a Win 2012 R2 x64 server to collect both the four default Windows logs and the Forwarded Events snd send to a Syslog server as Snare formatted. However, some events only contains their System segment, missing their entire EventData. For example, all of events 1000 and 1001 and all 4624 events with Kerberos login. 4624 with Advapi are passed just fine. I've no idea why is that, every idea would be welcomed. Here's my configuration: define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log LogLevel INFO <Extension _syslog> Module xm_syslog </Extension> <Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="ForwardedEvents"></Select> <Select Path="Application"></Select> <Select Path="System"></Select> <Select Path="Security"></Select> </Query> </QueryList> </QueryXML> <Exec> $Message =~ s/(\t|\R)/ /g; to_syslog_snare(); </Exec> </Input> <Output out> Module om_udp Host 1.2.3.4 </Output> <Route 66> Path in => out </Route>

Forwarded Events have EventData under a <RenderingInfo> element unlike normal windows eventlog records. This is not parsed by NXLog yet. I believe this is what you are missing.