Sending Windows Defender event logs to syslog properly

#1 Adam312312 3 years ago

Hi,

I've want to include nxlog to send all Windows logs to syslog plus Microsoft-Windows-Windows Defender/Operational, however as "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog" doesn't seem to include "Microsoft-Windows-Windows Defender" it doesn't read that config in at start and send those Windows Defender logs.

How can I get nxlog to send everything it does now, plus Microsoft-Windows-Windows Defender logs, without having to define everything? The only way I can see to do this is with two im_msvistalog defines, i.e.

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension syslog> Module xm_syslog </Extension>

<Input eventlog> Module im_msvistalog </Input>

<Input eventlog_defender> Module im_msvistalog

Query <QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>
</Query>
</QueryList>

</Input>

<Processor eventlog_transformer> Module pm_transformer Exec $Hostname = hostname(); OutputFormat syslog_rfc3164 </Processor>

<Output syslogout> Module om_ssl [removed, but its to Papertrail] </Output>

<Route 1> Path eventlog => eventlog_transformer => syslogout </Route>

<Route 2> Path eventlog_defender => eventlog_transformer => syslogout </Route>

That seems to work except there are three problems compared to when I only have the Microsoft-Windows-Windows Defender going and the other blocks deleted:

The Windows Defender logging is a little inconsistent, testing with an EICAR test virus doesn't always appear, probably 50% chance it appears in the syslog (all events appear in Windows log)
The severity and source is copied from the previous log line (usually info rather than warn severity, and not Microsoft-Windows-Windows Defender), maybe a threading issue?
Each rows of text is in its own line rather than all in a single message which happens when its the only logging to send

Is there a better way to do 'everything' plus Microsoft-Windows-Windows Defender?

Permalink

#2 Adam312312 3 years ago

#1 Adam312312

Hi, I've want to include nxlog to send all Windows logs to syslog plus Microsoft-Windows-Windows Defender/Operational, however as "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog" doesn't seem to include "Microsoft-Windows-Windows Defender" it doesn't read that config in at start and send those Windows Defender logs. How can I get nxlog to send everything it does now, plus Microsoft-Windows-Windows Defender logs, without having to define everything? The only way I can see to do this is with two im_msvistalog defines, i.e. define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog> Module xm_syslog </Extension> <Input eventlog> Module im_msvistalog </Input> <Input eventlog_defender> Module im_msvistalog Query <QueryList> <Query Id="0"> <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select> </Query> </QueryList> </Input> <Processor eventlog_transformer> Module pm_transformer Exec $Hostname = hostname(); OutputFormat syslog_rfc3164 </Processor> <Output syslogout> Module om_ssl [removed, but its to Papertrail] </Output> <Route 1> Path eventlog => eventlog_transformer => syslogout </Route> <Route 2> Path eventlog_defender => eventlog_transformer => syslogout </Route> That seems to work except there are three problems compared to when I only have the Microsoft-Windows-Windows Defender going and the other blocks deleted: The Windows Defender logging is a little inconsistent, testing with an EICAR test virus doesn't always appear, probably 50% chance it appears in the syslog (all events appear in Windows log) The severity and source is copied from the previous log line (usually info rather than warn severity, and not Microsoft-Windows-Windows Defender), maybe a threading issue? Each rows of text is in its own line rather than all in a single message which happens when its the only logging to send Is there a better way to do 'everything' plus Microsoft-Windows-Windows Defender?

Can see a screenshot of the "bad" message at https://www.dropbox.com/s/vldibp38o4nbjey/unnamed.jpg?dl=0 showing problems 2 and 3 above if it helps