3
responses

Hi All,

I'm trying solution to forward windows evento log to centralized server (Adiscon Loganalyzer, if you know free alternative please help me)

it's possible to convert raw data or filter data in "messages" to set it in respective fields?

For example, in SIEM (loganalyzer), i have two views (syslog and eventlog)
syslog view is all ok

eventlog view has blank field :

Eventlog Type
Event Source
Event ID
Event User

It's possible to filter message and write it to respective blank fields?

i have this basic nxlog.conf configuration

<Extension _syslog>
Module xm_syslog
</Extension>

<Input eventlog>
Module im_msvistalog
</Input>

<Output out>
Module om_tcp
Host 10.0.2.50
Port 514
Exec to_syslog_bsd();
</Output>

<Route eventlog_to_out>
Path eventlog => out
</Route>

OUTPUT (excuse me for the language) :
� stato tentato un accesso utilizzando credenziali esplicite. Soggetto: #011ID sicurezza:#011#011S-1-5-21-2102024564-1642127871-3539904672-1001 #011Nome account:#011#011prova #011Dominio account:#011#011PCNAME #011ID accesso:#011#0110x1E125 #011GUID accesso:#011#011{00000000-0000-0000-0000-000000000000} Account di cui sono state utilizzate le credenziali: #011Nome account:#011#011admin #011Dominio account:#011#011PCNAME #011GUID accesso:#011#011{00000000-0000-0000-0000-000000000000} Server di destinazione: #011Nome server di destinazione:#011nasbackup #011Informazioni aggiuntive:#011nasbackup Informazioni sul processo: #011ID processo:#011#0110x4 #011Nome processo:#011#011 Informazioni di rete: #011Indirizzo di rete:#01110.0.2.128More Information #011Porta:#011#011#011445 Questo evento viene generato quando un processo tenta di far accedere un account specificando esplicitamente le credenziali dell'account. Generalmente si verifica in configurazioni di tipo batch, ad esempio attività pianificate, oppure quando si utilizza il comando RUNAS.#015

AskedDecember 5, 2020 - 6:32pm

Answer (1)

Hey,

im_msvistalog gives you quite a nice set of available fields, please take a look at the documentation. There're directly available fields as $EventType or $AccountName.

If you miss anything, you can always try using regular expressions to pick relevant data.

Finally, you can go for construction like this:

Exec $Message = $EventType+ ' '+ $otherFieldYouLike.

I'm sure after testing you're gonna reach your goal :)

Good luck,
Rafal

Comments (2)

  • raf's picture
    (NXLog)

    Aaa, one more thing!

    There's a bunch of alternatives for Loganalyzer here (honestly, I don't know this particular solution well).

    If that's for personal purposes, you might want to check Graylog or compile your system using the ELK stack. However, for any commercial purpose, I'd strongly recommend going for supported products (just to mention: NXLog provides also Enterprise Edition - a product for the most demanding environments).

    Best regards,
    Rafal

  • IB_956097's picture

    Hi,

    My problem Is different.
    The $message field Is complete
    The problem Is that $eventuser or $eventid go in $messages. My question Is : it's possibile to filter $event_user from $messages and send It to different field like "event user"
    In my database i have correctly event_hostname but event_id or event_user are blank. It's possible to redirect the two value not in $messages , but in the 2 blank fields?? Thanks you
    (Monitorware agent works, so i think also nxlog has the same problem)