3
responses

Hi,

I have a issue with my configuration.
I try to send EventID to syslog with NXlog.
But I am french and the log have accent....
And NXlog replace by "Ç" or other.
For exemple é --> Ç

exemple :

02-20-2020 16:17:25 User.Info 10.28.201.50 1 2020-02-20T16:17:24.248999+01:00 PC-MGMT-INFRA-HDV Microsoft-Windows-Security-Auditing 532 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="4726" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="0" Task="13824" OpcodeValue="0" RecordNumber="435937" ActivityID="{40052197-E800-0000-1A22-054000E8D501}" ThreadID="488" Channel="Security" Category="User Account Management" Opcode="Informations" TargetUserName="TEST-LOG" TargetDomainName="PC-MGMT-INFRA-H" TargetSid="S-1-5-21-398120947-1394256007-3495492944-1004" SubjectUserSid="S-1-5-21-398120947-1394256007-3495492944-500" SubjectUserName="Administrateur" SubjectDomainName="PC-MGMT-INFRA-H" SubjectLogonId="0x689a9" PrivilegeList="-" EventReceivedTime="2020-02-20 16:17:25" SourceModuleName="eventlog" SourceModuleType="im_msvistalog"] Un compte dƒ?Tutilisateur a ǸtǸ supprimǸ. Sujet¶ÿ: ID de sǸcuritǸ¶ÿ: S-1-5-21-398120947-1394256007-3495492944-500 Nom du compte¶ÿ: Administrateur Domaine du compte¶ÿ: PC-MGMT-INFRA-H ID dƒ?Touverture de session¶ÿ: 0x689A9 Compte cible¶ÿ: ID de sǸcuritǸ¶ÿ: S-1-5-21-398120947-1394256007-3495492944-1004 Nom du compte¶ÿ: TEST-LOG Domaine du compte¶ÿ: PC-MGMT-INFRA-H Informations supplǸmentaires¶ÿ: PrivilÇùges -

Can you help me ?

AskedFebruary 20, 2020 - 4:22pm

Comments (3)

  • Arkadiy's picture
    (NXLog)

    Hello,

    You could use xm_charconv module to make NXLog convert charsets.
    I think in your case you need to add the following code to your config:

    <Extension charconv>
        Module              xm_charconv
        AutodetectCharsets  utf-8, utf-16, utf-32, iso8859-1
    </Extension>
    
    <Input input>
        ...
        Exec                convert_fields("auto", "utf-8");
        ...
    </Input>
    

    If it wouldn't work than please drop us your config.

    Regards, Arch

  • aauvinet's picture

    Hi,

    It's not work.

    I post my configuration.

    Panic Soft
    #NoFreeOnExit TRUE
    
    define ROOT     C:\Program Files (x86)\nxlog
    define CERTDIR  %ROOT%\cert
    define CONFDIR  %ROOT%\conf
    define LOGDIR   %ROOT%\data
    define LOGFILE  %LOGDIR%\nxlog.log
    
    #ANSSI https://www.ssi.gouv.fr/uploads/IMG/pdf/NP_ActiveDirectory_NoteTech.pdf
    define Anssi_Hight         4610, 4614, 4618, 4649, 4719, 4765,4766, 4794, \
                               4964, 1102
    
    #ANSSI https://www.ssi.gouv.fr/uploads/IMG/pdf/NP_ActiveDirectory_NoteTech.pdf
    define Anssi_Medium        4706, 4713, 4716, 4724, 4739, 4740, 4768, 4769, \
                               4770, 4771, 4772, 4773, 4774, 4775, 4776, 4777, \
                               4780, 4865, 4867, 4907, 4908, 5030, 5038, 6145
    
    #ANSSI  https://www.ssi.gouv.fr/uploads/IMG/pdf/NP_ActiveDirectory_NoteTech.pdf                     
    define Anssi_low           4608, 4609, 4698, 4702, 4704, 4782
    
    #Windows Brute Force Logon from 1 source for 1 account
    define SOC_AD_Bruteforce   4625, 4768, 4776, 4771 
    
    #Modification critical group
    define SOC_AD_Critical_Group_Modification 4728, 4732, 4756, 4729, 4757, 4733
    
    #Logins to a single account from different workstations & 
    define SOC_AD_Bruteforce_By_Multiple_Sources   4625, 4768, 4776, 4771
    
    #Lock of multiple accounts 
    define SOC_AD_Multiple_Accounts_Locked 4740, 4767
    
    define SOC_AD_Kerberoasting 4769
    
    define SOC_AD_New_Service 4697
    
    define SOC_AD_Builtin_Groups_Modifications 5136
    
    define SOC_AD_Scheduled_Task_Modifications 4698, 4702, 4704, 106, 104
    
    define SOC_AD_Suspicious_Process_Creation 4688
    
    define SOC_AD_Suspicious_Services_Installation 7045
    
    define SOC_AD_User_Backdoor 4738, 5136
    
    define SOC_AD_Mimikatz_Object_Access 4663
    
    define  SOC_AD_Massive_Account_Deletion 4726
    
    define SOC_AD_Suspicious_Process_External_Firewall_Connections 5156
    
    define SOC_AD_Builtin_Process_Creation 4688
    
    define SOC_AD_Local_Account_Created 4720
    
    define SOC_AD_RDP_Over_SSH_Tunneling 5156
    
    define SOC_AD_Suspicious_Kerberos_RC4_Ticket_Encryption 4769
    
    define logon   4624 
    
    
    
    
    
    #Les EventID suivant ne sont pas utilisés mais listé :
    # https://nxlog.co/documentation/nxlog-user-guide/eventlog-eventids.html
    
    
    
    LogFile %LOGFILE%
    
    Moduledir %ROOT%\modules
    CacheDir  %ROOT%\data
    Pidfile   %ROOT%\data\nxlog.pid
    SpoolDir  %ROOT%\data
    
    <Extension _syslog>
        Module      xm_syslog
    </Extension>
    
    <Extension _charconv>
        Module      xm_charconv
        AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
    </Extension>
    <Extension _json>
        Module  xm_json
    </Extension>
    
    <Extension _exec>
        Module      xm_exec
    </Extension>
    
    <Extension _fileop>
        Module      xm_fileop
    
        # Check the size of our log file hourly, rotate if larger than 5MB
        <Schedule>
            Every   1 hour
            Exec    if (file_exists('%LOGFILE%') and \
                       (file_size('%LOGFILE%') >= 5M)) \
                        file_cycle('%LOGFILE%', 8);
        </Schedule>
    
        # Rotate our log file every week on Sunday at midnight
        <Schedule>
            When    @weekly
            Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
        </Schedule>
    </Extension>
    
    
    <Input eventlog>
        Module                 im_msvistalog
        Exec                convert_fields("auto", "utf-8");
        <QueryXML>
            <QueryList>
                <Query Id="0">
                    <Select Path="Application">*</Select>
                    <Select Path="Security">*</Select>
                    <Select Path="System">*</Select>
                </Query>
            </QueryList>
        </QueryXML>
        <Exec>
           if ($EventID NOT IN (%Anssi_Hight%)) and
              ($EventID NOT IN (%Anssi_Medium%)) and
              ($EventID NOT IN (%Anssi_low%)) and
              ($EventID NOT IN (%SOC_AD_Bruteforce%)) and
              ($EventID NOT IN (%SOC_AD_Critical_Group_Modification%)) and
              ($EventID NOT IN (%SOC_AD_Bruteforce_By_Multiple_Sources%)) and
              ($EventID NOT IN (%SOC_AD_Multiple_Accounts_Locked%)) and
              ($EventID NOT IN (%SOC_AD_Kerberoasting%)) and
              ($EventID NOT IN (%SOC_AD_New_Service%)) and
              ($EventID NOT IN (%SOC_AD_Builtin_Groups_Modifications%)) and
              ($EventID NOT IN (%SOC_AD_Scheduled_Task_Modifications%)) and
              ($EventID NOT IN (%SOC_AD_Suspicious_Process_Creation%)) and
              ($EventID NOT IN (%SOC_AD_Suspicious_Services_Installation%)) and
              ($EventID NOT IN (%SOC_AD_User_Backdoor%)) and
              ($EventID NOT IN (%SOC_AD_Mimikatz_Object_Access%)) and
              ($EventID NOT IN (%SOC_AD_Massive_Account_Deletion%)) and
              ($EventID NOT IN (%SOC_AD_Suspicious_Process_External_Firewall_Connections%)) and
              ($EventID NOT IN (%SOC_AD_Builtin_Process_Creation%)) and
              ($EventID NOT IN (%SOC_AD_Local_Account_Created%)) and
              ($EventID NOT IN (%SOC_AD_RDP_Over_SSH_Tunneling%)) and
              ($EventID NOT IN (%SOC_AD_Suspicious_Kerberos_RC4_Ticket_Encryption%)) and
              ($EventID NOT IN (%logon%))
              drop();
        </Exec>
    </Input>
    
    
    
    <Output out_syslog>
        Module  om_udp
        Host    10.28.203.50
        Port    514
        Exec    to_syslog_ietf();
    </Output>
    
    <Output out_file>
        Module  om_file
        File    'C:\Program Files (x86)\nxlog\data\json.txt.txt'
        Exec    to_json();
    </Output>
    
    
    <Route eventlog_to_out>
        Path    eventlog => out_syslog, out_file
    </Route>
    

Answers (0)