1
answer

Hey all,

I want to be able to capture the event IDs of windows events in my SIEM but currently they don't come through and I'm not sure what changes need to be made to make them come through. Below are my config files and an example of how they come in. Any ideas? Thanks in advance

How events come in:

10 Jul 2019 16:57:42.364<14>Jul 10 12:57:40 FILESVR******** Service_Control_Manager[532]: The Microsoft Policy Platform Local Authority service entered the running state.
10 Jul 2019 16:57:43.385<14>Jul 10 12:57:41 FILESVR******** Service_Control_Manager[532]: The Microsoft Policy Platform Processor service entered the running state.

Config:

Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Extension _charconv>
    Module      xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
    Module      xm_exec
</Extension>

<Extension _fileop>
    Module      xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
        Every   1 hour
        Exec    if (file_exists('%LOGFILE%') and \
                   (file_size('%LOGFILE%') >= 5M)) \
                    file_cycle('%LOGFILE%', 8);
    </Schedule>

    # Rotate our log file every week on Sunday at midnight
    <Schedule>
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
</Extension>



<Input eventlog>
    Module          im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id='0'>
                <Select Path='Application'>*</Select>
                <Select Path='Security'>*</Select>
                <Select Path='System'>*</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

<Output tcp>
    Module          om_tcp
    Host            ********
    Port            ********
    Exec            to_syslog_bsd();
</Output>

<Route eventlog_to_tcp>
    Path            eventlog => tcp
</Route>
AskedJuly 10, 2019 - 7:42pm

Answer (1)

Hello,

You could re-write the $Message field as follows:
Exec $Message = 'EventID: ' + $EventID + ' ' + $Message;
This would give you :

2019-07-10 14:46:14 INFO <14>Jul 10 14:46:13 WIN-LU43V8BOQ6J Service_Control_Manager[572]: EventID: 7036 The Microsoft Account Sign-in Assistant service entered the stopped state.

Or you could grab all fields by adding a $Message = to_json(); instead.
Exec $Message = to_json(); to_syslog_bsd();

2019-07-10 14:48:08 INFO <14>Jul 10 14:48:06 WIN-LU43V8BOQ6J Service_Control_Manager[572]: {"EventTime":"2019-07-10 14:48:06","Hostname":"WIN-LU43V8BOQ6J","Keywords":"9259400833873739776","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7036,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":53436,"ExecutionProcessID":572,"ExecutionThreadID":1864,"Channel":"System","Message":"The Software Protection service entered the running state.","param1":"Software Protection","param2":"running","EventReceivedTime":"2019-07-10 14:48:08","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"}

Either way, your SIEM will need to know how to parse the message to extract the EventID.
That should get you in the right direction.

AnsweredJuly 10, 2019 - 9:49pm

Comments (2)

  • adminman's picture

    First thank you for your answer, it's super helpful!

    That top one "Exec $Message = 'EventID: ' + $EventID + ' ' + $Message;" seems perfect but I'm not sure where in the config to put it. I tried in between "Exec" and "to_syslog_bsd();" but that didn't seem right.

    Also my SIEM only accepts raw data and has no ability to parse that I'm aware of.

    July 11, 2019 - 7:50pm
  • Zhengshi's picture
    (NXLog)

    You could add a new line in your Input section for it. That is what I did. You just need this done before you convert to Syslog so that it has the proper fields.

    July 11, 2019 - 9:25pm