11
responses

Hi,

I am using NXLog's <Input MSEvtIN> module to forward Windows Event Logs to a syslog server. The problem I am facing is with MTU Size. The default MTU across is 1500 (i.e. 1472 Bytes actual length) But there are many events in windows which are much larger than 1472. Those events having length greater than 1472 bytes are getting truncated at 1472 and received partially on the syslog server. This is creating a problem for my SIEM to parse the logs.

Can anyone please help me in diagnosing and resolving this?

What I know about MTU is, if the packets are greater than 1472 bytes, MTU Fragmentation is used. I don't know how to enable this fragmentation setting in NXLog.

################
#============ Define ROOT here ===================
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
#============ NXLog Machine Log info =============
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

#=========== For Windows Event Log ===========
<Extension json>
Module xm_json
</Extension>

<Input MSEvtIN>
# For windows 2003 and earlier use the following:
#Module im_mseventlog
# For windows 2005 and later use the following:
Module im_msvistalog
Exec to_json();
</Input>

<Output MSEvtOUT>
Module om_udp
Host DNIF-Adapter-IP
Port 514
</Output>

<Route 1>
Path MSEvtIN => MSEvtOUT
</Route>

AskedMarch 27, 2020 - 1:15pm

Comments (11)

  • ashutosh's picture

    Hi,

    I cannot use om_tcp because of the bandwidth and processing constraints I have. I don't want the machines to be busy doing TCP handshakes. The amount of logs is comparatively huge.

    Regards,
    Ashutosh

  • ashutosh's picture

    Thanks Manuel,

    But I am using NXLog at a customer. The servers are remote and are not under my control. I can only provide a standard config file that gets deployed through out their infra.
    I gave a thought to remove unnecessary parts from the logs, but that will rule out the compliance. I must take a full log, keep two copies of the original without any modification.

  • ashutosh's picture

    Below are the two log samples, I cannot fetch the original Events from Eventlog, below are the one's I see at the syslog server. As you can see they are truncated exactly after 1472 bytes.

    2020-03-18T14:53:12.102638+05:30 192.168.xx.xxx {"EventTime": "2020-03-18 14:56:22","Hostname":"something.com","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4768,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":14339,"OpcodeValue":0,"RecordNumber":5952540823,"ProcessID":788,"ThreadID":2836,"Channel":"Security","Message":"A Kerberos authentication ticket (TGT) was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\abc_12345678\r\n\tSupplied Realm Name:\tabcde\r\n\tUser ID:\t\t\tS-1-5-21-1048257463-4036688864-1072923025-12245\r\n\r\nService Information:\r\n\tService Name:\t\tkrbtgt\r\n\tService ID:\t\tS-1-5-21-1048257463-4036688864-1072923025-502\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:192.168.xx.xx\r\n\tClient Port:\t\t62163\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810010\r\n\tResult Code:\t\t0x0\r\n\tTicket Encryption Type:\t0x12\r\n\tPre-Authentication Type:\t2\r\n\r\nCertificate Information:\r\n\tCertificate Issuer Name:\t\t\r\n\tCertificate Serial Number:\t\r\n\tCertificate Thumbprint:\t\t\r\n\r\nCertificate information is only provided if a certificate was used for pre-authentication.\r\n\r\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.","Category":"Kerberos Authentication Service","Opcode":"Info","TargetUseer which issued the service ticket.\r\n\r\nTicket options, encryption types, and failure codes are defined in RFC 4120.","Category":"Kerberos Service Ticket Operations","Opcode":"Info","TargetUserName":"ab_12345678@abcde.COM","TargetDomainName":"abced.COM","ServiceName":"PBLPDFILER$","ServiceSid":"S-1-5-21-1048257463-4036688864-1072923025-1284","TicketOptions":"0x40810000","TicketEncryptionType":"0x12","IpAddress":"::ffff:192.168.xx.yyy","I

    2020-03-18T14:52:50.071523+05:30 192.168.xx.yyy4 {"EventTime": "2020-03-18 14:55:59","Hostname":"zxcvb.abcde.com","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4769,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":14337,"OpcodeValue":0,"RecordNumber":5952537103,"ProcessID":788,"ThreadID":5028,"Channel":"Security","Message":"A Kerberos service ticket was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tab_12345678@abcde.COM\r\n\tAccount Domain:\t\tabcde.COM\r\n\tLogon GUID:\t\t{58EFE546-5E6A-AF8F-CCB6-996A56753193}\r\n\r\nService Information:\r\n\tService Name:\t\tPBLPDFILER$\r\n\tService ID:\t\tS-1-5-21-1048257463-4036688864-1072923025-1284\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:10.9.212.46\r\n\tClient Port:\t\t51577\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810000\r\n\tTicket Encryption Type:\t0x12\r\n\tFailure Code:\t\t0x0\r\n\tTransited Services:\t-\r\n\r\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\r\n\r\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller r which issued the service ticket.\r\n\r\nTicket options, encryption types, and failure codes are defined in RFC 4120.","Category":"Kerberos Service Ticket Operations","Opcode":"Info","TargetUserName":"ab_12345678@abcde.COM","TargetDomainName":"abcde.COM","ServiceName":"PBLPDFILER$","ServiceSid":"S-1-5-21-1048257463-4036688864-1072923025-1284","TicketOptions":"0x40810000","TicketEncryptionType":"0x12","IpAddress":"::ffff:192.168.xx.yyy","IpPort":"53294","Status":"0x0","LogonGuid":"{58EFE546-5E6A-AF8F-CCB6-996A56753193}","TransmittedServices":"-","EventReceivedTime":"2020-03-18 14:56:00","SourceModuleName":"MSEvtIN","SourceModuleType":"im_msvistal

  • Misaziv's picture
    (NXLog)

    HI,

    I think this is the option you need:

    SockBufSize
    This optional directive sets the socket buffer size (SO_SNDBUF) to the value specified. If this is not set, the
    operating system default is used.
    

    More on om_udp

    Because of this: In UDP SO_SNDBUF can determine the maximum datagram size.

    Please give it a go and let me know if it works for you.

    Kind regards,

    ~MisaZ

Pages

Answers (0)