Send Username of windows event

Post a different question
2
responses

Hi,

i'm forwarding windows event to SIEM with nxlog
i'm trying to send to SIEM the username of logged user (the user of event), without success
it's possible to send username ?

thanks you

AskedDecember 7, 2020 - 7:01pm

Answer (1)

Hey,

I think you might want to explore a bit about im_msvistalog. You can find there what kind of fields are available and how to use/call certain fields.

In case you have issues with exploring the possibilities - please, let us know and share the config file which you stuck with.

Good luck,
Rafal

AnsweredDecember 10, 2020 - 9:08am

Comments (1)

  • IB_956097's picture

    This is my log :

    <Event><EventTime>2020-12-10 13:31:57</EventTime><Hostname>PCNAME</Hostname><Keywords>-9214364837600034816</Keywords><EventType>AUDIT_SUCCESS</EventType><SeverityValue>2</SeverityValue><Severity>INFO</Severity><EventID>4648</EventID><SourceName>Microsoft-Windows-Security-Auditing</SourceName><ProviderGuid>{54849625-5478-4994-A5BA-3E3B0328C30D}</ProviderGuid><Version>0</Version><Task>12544</Task><OpcodeValue>0</OpcodeValue><RecordNumber>52818</RecordNumber><ActivityID>

    This log it's ok, but all of this go to Message's Field

    in SIEM Eventlog Type,Event Source,EventID, are blank. I want to redirect EventType to "Event Type" etc...

    Panic Soft
    #NoFreeOnExit TRUE

    define ROOT C:\Program Files (x86)\nxlog
    define CERTDIR %ROOT%\cert
    define CONFDIR %ROOT%\conf
    define LOGDIR %ROOT%\data
    define LOGFILE %LOGDIR%\nxlog.log
    LogFile %LOGFILE%

    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data

    define MonitoredEventIds 4648, 4647

    <Extension _syslog>
    Module xm_syslog
    </Extension>

    <Extension xml>
    Module xm_xml
    </Extension>

    <Input eventlog>
    Module im_msvistalog
    Exec $Message = to_xml(); to_syslog_bsd();
    <QueryXML>
    <QueryList>
    <Query Id='0'>
    <Select Path='Security'>*</Select>
    </Query>
    </QueryList>
    </QueryXML>
    Exec if $EventID NOT IN (%MonitoredEventIds%) drop();
    </Input>

    <Output out>
    Module om_tcp
    Host 10.0.2.50
    Port 514
    Exec $Message = replace($Message, "\r\n", " ");
    Exec $Message = replace($Message, "\n", " ");
    Exec $Message = replace($Message, "\t", " ");
    Exec $Message = replace($Message, "#015", " ");
    Exec $Message = replace($Message, "#011", " ");
    </Output>

    <Route eventlog_to_out>
    Path eventlog => out
    </Route>

    December 10, 2020 - 1:55pm