2
responses

Hello,

I'm using NXlog CE 2.10.2150 on a Win2016 server to collect "Forwarded Events" and send to a syslog server as snare formatted.
However, some events only contain their System segment, missing their entire EventData.

Here's my configuration (EventData Missing):

<Input eventlog>
Module im_msvistalog
Query <QueryList>\
<Query Id="">\
<Select Path="ForwardedEvents">*</Select>\
</Query>\
</QueryList>
</Input>

<Output out>
Module om_tcp
Host ip_syslogs_server
Port 514
Exec to_syslog_snare();
</Output>

<Route 1>
Path eventlog => out
</Route>

Resulting in (tcpdump):
<14>Nov 11 10:50:37 server2.domain MSWinEventLog 1 Security 2189 Wed Nov 11 10:50:37 2020 4768 Microsoft-Windows-Security-Auditing N/A N/A Success Audit server2.domain Kerberos Authentication Service N/A 998061427

Here's my configuration (EventData Included):

<Input eventlog>
Module im_msvistalog
Query <QueryList>\
<Query Id="">\
<Select Path="ForwardedEvents">*</Select>\
</Query>\
</QueryList>
Exec $Message =~ s/(\t|\R)/ /g;
Exec $Message = to_json();
</Input>

<Output out>
Module om_tcp
Host ip_syslogs_server
Port 514
Exec to_syslog_snare();
</Output>

<Route 1>
Path eventlog => out
</Route>

Resulting in (tcpdump):
<14>Nov 11 10:49:36 server1 MSWinEventLog 1 Security 1593 Wed Nov 11 10:49:36 2020 4768 Microsoft-Windows-Security-Auditing N/A N/A Success Audit server1 Kerberos Authentication Service {"EventTime":"2020-11-11 10:49:36","Hostname":"server1","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4768,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328CXXX}","Version":0,"Task":14339,"OpcodeValue":0,"RecordNumber":953757340,"ProcessID":708,"ThreadID":11484,"Channel":"Security","ERROR_EVT_UNRESOLVED":true,"Category":"Kerberos Authentication Service","Opcode":"Info","TargetUserName":"User1","TargetDomainName":"domain","TargetSid":"S-1-5-21-3493186346-123456789-198542525-123456","ServiceName":"krbtgt","ServiceSid":"S-1-5-21-123456789-2449186506-123456525-502","TicketOptions":"0x40000000","Status":"0x0","TicketEncryptionType":"0x12","PreAuthType":"2","IpAddress":"10.xxx.xxx.xxx","IpPort":"33925","EventReceivedTime":"2020-11-11 10:49:38","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"} 953757340

As you can see NXLog fills the EventData with "N/A" in my first example and wiht JSON Encoded Full EventData in my Second Example.
The Problem I have is my Parser on the syslogserver does not expect JSON Encoded Data.

Any Hints?
Thx
Johannes

AskedNovember 11, 2020 - 11:14am

Answer (1)

Hello Johannes,

You might try changing your your Output module from

Exec to_syslog_snare();

to

Exec    $Message = to_json(); to_syslog_snare(); 

Let me know if it helps.

Best regards,

Rafal

Comments (1)