Extra Space in Windows Event Log
Tags:
#1
ashutosh
Hi,
I am using NXlog to fetch events from Windows server to a SIEM. But in some Events, it is adding an extra "white space" before the timestamp. Due to the extra white space, SIEM fails to parse the log.
Here are some samples
Log with extra white space, please look after "EventTime": it has an extra space before the time stamp
2020-05-20T14:10:39.984056+05:30 10.7.24.101 {"EventTime": "2020-05-20 14:10:59","Hostname":"Monsoon.LTDIC.com","Keywords":-
A standard log which gets parsed
2020-05-20T14:10:39.984056+05:30 10.7.24.101 {"EventTime":"2017-09-05 10:11:10","Hostname":"
Below is my conf file
#============ Define ROOT here ===================
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
#============ NXLog Machine Log info =============
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
#=========== For Windows Event Log ===========
<Extension json>
Module xm_json
</Extension>
<Input MSEvtIN>
# For windows 2003 and earlier use the following:
#Module im_mseventlog
# For windows 2005 and later use the following:
Module im_msvistalog
Exec to_json();
</Input>
<Output MSEvtOUT>
Module om_udp
Host DNIF-Adapter-IP
Port 514
</Output>
<Route 1>
Path MSEvtIN => MSEvtOUT
</Route>
#1
ashutosh
Hi,
I am using NXlog to fetch events from Windows server to a SIEM. But in some Events, it is adding an extra "white space" before the timestamp. Due to the extra white space, SIEM fails to parse the log.
Here are some samples
Log with extra white space, please look after "EventTime": it has an extra space before the time stamp
2020-05-20T14:10:39.984056+05:30 10.7.24.101 {"EventTime": "2020-05-20 14:10:59","Hostname":"Monsoon.LTDIC.com","Keywords":-
A standard log which gets parsed
2020-05-20T14:10:39.984056+05:30 10.7.24.101 {"EventTime":"2017-09-05 10:11:10","Hostname":"
Below is my conf file
#============ Define ROOT here ===================
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
#============ NXLog Machine Log info =============
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
#=========== For Windows Event Log ===========
<Extension json>
Module xm_json
</Extension>
<Input MSEvtIN>
# For windows 2003 and earlier use the following:
#Module im_mseventlog
# For windows 2005 and later use the following:
Module im_msvistalog
Exec to_json();
</Input>
<Output MSEvtOUT>
Module om_udp
Host DNIF-Adapter-IP
Port 514
</Output>
<Route 1>
Path MSEvtIN => MSEvtOUT
</Route>
Hi,
I would be much easier if we could see original event which was parsed incorrectly. Could you get one for us?
Regards, Arch
