3
responses

I'm attempting to enrich some Windows event logs with "ClientMachine" which needs to equal the hostname. I'm having issues with only some logs coming through with this enriched fields, and others do not contain the ClientMachine enrichment. My config is below. Any help would be greatly appreciated.

Panic Soft
define ROOT C:\Program Files\nxlog
#ModuleDir %ROOT%\modules
#CacheDir %ROOT%\data
#SpoolDir %ROOT%\data

#define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf

# Note that these two lines define constants only; the log file location
# is ultimately set by the `LogFile` directive (see below). The
# `MYLOGFILE` define is also used to rotate the log file automatically
# (see the `_fileop` block).
define LOGDIR %ROOT%\data
define MYLOGFILE %LOGDIR%\nxlog.log

# By default, `LogFile %MYLOGFILE%` is set in log4ensics.conf. This
# allows the log file location to be modified via NXLog Manager. If you
# are not using NXLog Manager, you can instead set `LogFile` below and
# disable the `include` line.
LogFile %MYLOGFILE%

<Extension _syslog>
Module xm_syslog
</Extension>

<Input in>
Module im_msvistalog
</Input>

<Output out>
Exec $ClientMachine = hostname_fqdn();
Module om_tcp
Host 192.168.1.20
Port 11105
Exec to_syslog_snare();
</Output>

<Route 1>
Path in => out
</Route>

AskedAugust 28, 2019 - 11:38pm

Comments (2)

  • Zhengshi's picture
    (NXLog)

    I believe you may have two issues

    One issue is related to how hostname_fqdn() gets its values.
    Basically we use a lookup on the OS to get the reverse DNS entry that we pick up. If the machine can not resolve the FQDN then it will fall back to the short form.
    https://nxlog.co/question/2212/nxlog-exec-hostname-hostnamefqdn-not-working

    For the second issue, I believe to_syslog_snare() only updates $raw_event with certain fields. See the following link under to_syslog_snare().
    https://nxlog.co/documentation/nxlog-user-guide/xm_syslog.html#xm_syslog_procs

    You will likely want to change the $Message field to include your data so that the procedure updates $raw_event properly. Something like the following before to_syslog_snare().
    Exec $Message = $Message + " ClientMachine = " + $ClientMachine;

    Hope that helps!

Answer (1)

One issue is related to how hostname_fqdn() gets its values. Basically we use a lookup on the OS to get the reverse DNS entry that we pick up. If the machine can not resolve the FQDN then it will fall back to the short form.

https://nxlog.co/question/2212/nxlog-exec-hostname-hostnamefqdn-not-working

For the second issue, I believe to_syslog_snare() only updates $raw_event with certain fields. See the following link under to_syslog_snare().

https://nxlog.co/documentation/nxlog-user-guide/xm_syslog.html#xm_syslog_procs

You will likely want to change the $Message field to include your data so that the procedure updates $raw_event properly. Something like the following before to_syslog_snare().

Exec $Message = $Message + " ClientMachine = " + $ClientMachine;