For im_wseventing , fields Task and Category seemed to be messed up.

Post a different question
2
responses

Take for example event 4624, with output as JSON to kafka, there is a JSON field in im_msvistalog:

"Category":"Logon",
...
"Task":12544,

Now, looking at an event 4624 collected via im_wseventing, the JSON looks like this:

"Task":"Logon"

Note: Field Category is missing! As "Task" contains the category, in reality, the Task is missing here..

Please fix that for the WEC collector.

Best regards Theo

AskedNovember 23, 2020 - 8:15pm

Answer (1)

Hi Theo,

First - please, try to keep one topic in a single thread - otherwise, we will get messy really quickly. You can always edit/add content to your existing thread.

Which NXLog version do you use?
Could you share your conf?

Best regards,
Rafal

AnsweredNovember 24, 2020 - 8:08am

Comments (1)

  • TD_609646's picture

    Hi Rafal,

    Thank's for your response. I don't think that I can further split up the topic as the two fields mentioned here are both involved in this specific problem. In one config, the field content is put into "Category", in the other the same content is put into "Task". => How should I split up the topic in different questions? The question is: Why is the content moved from "Category" to "Task" if I change from OSLogs to WEC receiving?

    attached is a config anonymized and a bit shortened for WEC:

    User nxlog
Group nxlog
Panic Soft

# default values:
# PidFile   /opt/nxlog/var/run/nxlog/nxlog.pid
# CacheDir  /opt/nxlog/var/spool/nxlog
# ModuleDir /opt/nxlog/lib/nxlog/modules
# SpoolDir /opt/nxlog/var/spool/nxlog


# Note that these two lines define constants only; the log file location
# is ultimately set by the `LogFile` directive (see below). The
# `MYLOGFILE` define is also used to rotate the log file automatically
# (see the `_fileop` block).
define LOGDIR /opt/nxlog/var/log/nxlog
define MYLOGFILE %LOGDIR%/nxlog.log

# By default, `LogFile %MYLOGFILE%` is set in log4ensics.conf. This
# allows the log file location to be modified via NXLog Manager. If you
# are not using NXLog Manager, you can instead set `LogFile` below and
# disable the `include` line.
LogFile %MYLOGFILE%
#include %CONFDIR%/log4ensics.conf

LogLevel INFO
#LogLevel DEBUG


<Extension _syslog>
    Module  xm_syslog
</Extension>

# Usually much more events defined here, just removed them as they are boilerplate for the example. Evt. 4624 already shows the misbehavior, but all others seem to have the same misbehavior.
define Logon                                    4624, 4625, 4648

# Define Input/Output

<Extension _json>
    Module  xm_json
</Extension>

<Input ms_in>
    Module              im_wseventing
    Address             http://anonymized.com:5985/wsman
    ListenAddr          0.0.0.0
    Port                5985
    SubscriptionName    Server-Logs
    Exec                log_info(to_json());
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*</Select>
                <Select Path="System">*</Select>
                <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>
                <Select Path="Windows PowerShell">*</Select>
                <Select Path="Microsoft-Windows-WMI-Activity/Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    <Exec>
        # Usually much more to keep here.. 
       if ($EventID NOT IN (%Logon%)) drop();
    </Exec>
</Input>

<Output kafka>
    Module      om_kafka
    BrokerList  anonymized.com:9092
    Topic       anonymized_topic
    Option      client.id anonymized_nxlog
    Exec    to_json();
</Output>

<Output file>
   Module om_file
   file '/tmp/nxlog_out'
</Output>

<Route syslog>
    Path    ms_in => kafka
#     Path    ms_in => file
</Route>


# This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`
# is changed in log4ensics.conf via NXLog Manager, rotation of the new
# file should also be configured there.
<Extension _fileop>
    Module  xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
        Every   1 hour
        <Exec>
            if ( file_exists('%MYLOGFILE%') and
                 (file_size('%MYLOGFILE%') >= 5M) )
            {
                 file_cycle('%MYLOGFILE%', 8);
            }
        </Exec>
    </Schedule>

    # Rotate our log file every week on Sunday at midnight
    <Schedule>
        When    @weekly
        Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
    </Schedule>
</Extension>

    Ah, and regards to the version: We currently use v4.8.4811 enterprise and plan to ugprade to v5.1.6133 but there were some other problems involved here which we are currently in contact with you so that we can hopefully upgrade to v5 soon.

    November 24, 2020 - 10:15am