1
response

Hi there,

I'm having a little trouble trying to filter events with patterndb.xml

I'm sending logs to our SIEM but despite the corresponding event ID's missing from patterndb they are still getting pushed.

I think my configuration setup is over ruling the patterndb config.

Can you please review?

Thanks for your time.

#
# Configuration for converting and sending Windows logs
# to AlienVault USM Anywhere.
#
# Version: 0.1.0
# Last modification: 2019-07-03
#

define ROOT C:\Program Files (x86)\nxlog
define OUTPUT_DESTINATION_ADDRESS x.x..x.xx
define OUTPUT_DESTINATION_PORT 12346789

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log


<Extension json>
    Module      xm_json
</Extension>

<Extension syslog>
    Module      xm_syslog
</Extension>

<Input internal>
    Module      im_internal
</Input>

<Input eventlog>
    Module      im_msvistalog
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                        <Select Path="Security">*</Select>\
                    </Query>\
                </QueryList>
    Exec if ($EventID == 5156) OR ($EventID == 5158) drop();
</Input>


<Output out>

Module      om_udp
Host        %OUTPUT_DESTINATION_ADDRESS%
Port        %OUTPUT_DESTINATION_PORT%
Exec        $EventTime = integer($EventTime) / 1000000;
Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000000;
Exec        $Message = to_json(); to_syslog_bsd();

</Output>

<Route 1>
Path    eventlog, internal => out
</Route>
############################################################################
####                      NXLOG WITH PATTERNDB                         #####
####    Uncomment the following lines for Windows Events filtered      #####
############################################################################

<Input internal_Pattern>
    Module      im_internal
</Input>

<Input eventlog_Pattern>
    Module      im_msvistalog
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                        <Select Path="Security">*</Select>\
                    </Query>\
                </QueryList>
</Input>

<Processor match_events>
     Module          pm_pattern
     PatternFile     %ROOT%\conf\patterndb.xml
</Processor>

<Output out_Pattern>
    Module      om_udp
    Host        %OUTPUT_DESTINATION_ADDRESS%
    Port        %OUTPUT_DESTINATION_PORT%
    Exec        $EventTime = integer($EventTime) / 1000000;
    Exec        if not defined $PatternID or not defined $Message { drop(); }
    Exec        $Message = to_json(); to_syslog_bsd();
</Output>

<Route route_Pattern>
    Path    eventlog_Pattern, internal_Pattern => match_events => out_Pattern
</Route>

############################################################################
#####                     /NXLOG WITH PATTERNDB                        #####
############################################################################
AskedFebruary 19, 2020 - 4:39am

Comments (1)

  • Arkadiy's picture
    (NXLog)

    Hello Jared,

    I think I have some thoughts how to fix this one.
    Could you try to comment out check for defined $Message so it would look like this:

    Exec    if not defined $PatternID drop();
    

    Please let us know if this info was helpful for you.

    Best regards, Arch

Answers (0)