7
responses

Hi,

I am using NXlog to fetch events from Windows server to a SIEM. But in some Events, it is adding an extra "white space" before the timestamp. Due to the extra white space, SIEM fails to parse the log.

Here are some samples

Log with extra white space, please look after "EventTime": it has an extra space before the time stamp

2020-05-20T14:10:39.984056+05:30 10.7.24.101 {"EventTime": "2020-05-20 14:10:59","Hostname":"Monsoon.LTDIC.com","Keywords":-

A standard log which gets parsed

2020-05-20T14:10:39.984056+05:30 10.7.24.101 {"EventTime":"2017-09-05 10:11:10","Hostname":"

Below is my conf file

#============ Define ROOT here ===================
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
#============ NXLog Machine Log info =============
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

#=========== For Windows Event Log ===========
<Extension json>
Module xm_json
</Extension>

<Input MSEvtIN>
# For windows 2003 and earlier use the following:
#Module im_mseventlog
# For windows 2005 and later use the following:
Module im_msvistalog
Exec to_json();
</Input>

<Output MSEvtOUT>
Module om_udp
Host DNIF-Adapter-IP
Port 514
</Output>

<Route 1>
Path MSEvtIN => MSEvtOUT
</Route>
AskedMay 25, 2020 - 4:36pm

Comments (7)

  • Arkadiy's picture
    (NXLog)

    Hi,

    I would be much easier if we could see original event which was parsed incorrectly.
    Could you get one for us?

    Regards, Arch

  • ashutosh's picture

    Hi,

    Extremely sorry, I can not get a Raw Event from this environment. I can provide you samples of logs those are shipped by NXLog to my syslog server.

    Thanks.
    Ashutosh

  • Arkadiy's picture
    (NXLog)

    Hi,

    Its a bit unfortunate, because there is nothing in nxlog config presented which could cause such behavior.
    You could try to add some regex to your config which would try to catch and fix whitespaces.

    Regards, Arch

  • ashutosh's picture

    Hi,

    Fixing the parser was my primary solution. But the SIEM provider already raised their hands saying that the data is not in perfect format and they cant change their parser to match this criterion.

    Now I am left with bunch of security data not getting parsed.

    Thanks.

  • Arkadiy's picture
    (NXLog)

    Hi,

    What I'm taking about is to use nxlog language to make a config able to catch and fix such things. It should fix mentioned errors.
    Please check regex support here: https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#lang_literals and sections after.

    My suggestion is that data are coming to nxlog already broken.

    Sincerely, Arch

Answers (0)