i'm forwarding windows event to SIEM with nxlog
i'm trying to send to SIEM the username of logged user (the user of event), without success
it's possible to send username ?

thanks you

AskedDecember 7, 2020 - 7:01pm

Answer (1)


I think you might want to explore a bit about im_msvistalog. You can find there what kind of fields are available and how to use/call certain fields.

In case you have issues with exploring the possibilities - please, let us know and share the config file which you stuck with.

Good luck,

Comments (1)

  • IB_956097's picture

    This is my log :

    <Event><EventTime>2020-12-10 13:31:57</EventTime><Hostname>PCNAME</Hostname><Keywords>-9214364837600034816</Keywords><EventType>AUDIT_SUCCESS</EventType><SeverityValue>2</SeverityValue><Severity>INFO</Severity><EventID>4648</EventID><SourceName>Microsoft-Windows-Security-Auditing</SourceName><ProviderGuid>{54849625-5478-4994-A5BA-3E3B0328C30D}</ProviderGuid><Version>0</Version><Task>12544</Task><OpcodeValue>0</OpcodeValue><RecordNumber>52818</RecordNumber><ActivityID>

    This log it's ok, but all of this go to Message's Field

    in SIEM Eventlog Type,Event Source,EventID, are blank. I want to redirect EventType to "Event Type" etc...

    Panic Soft
    #NoFreeOnExit TRUE

    define ROOT C:\Program Files (x86)\nxlog
    define CERTDIR %ROOT%\cert
    define CONFDIR %ROOT%\conf
    define LOGDIR %ROOT%\data
    define LOGFILE %LOGDIR%\nxlog.log
    LogFile %LOGFILE%

    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data

    define MonitoredEventIds 4648, 4647

    <Extension _syslog>
    Module xm_syslog

    <Extension xml>
    Module xm_xml

    <Input eventlog>
    Module im_msvistalog
    Exec $Message = to_xml(); to_syslog_bsd();
    <Query Id='0'>
    <Select Path='Security'>*</Select>
    Exec if $EventID NOT IN (%MonitoredEventIds%) drop();

    <Output out>
    Module om_tcp
    Port 514
    Exec $Message = replace($Message, "\r\n", " ");
    Exec $Message = replace($Message, "\n", " ");
    Exec $Message = replace($Message, "\t", " ");
    Exec $Message = replace($Message, "#015", " ");
    Exec $Message = replace($Message, "#011", " ");

    <Route eventlog_to_out>
    Path eventlog => out