Hey,
I think you might want to explore a bit about im_msvistalog. You can find there what kind of fields are available and how to use/call certain fields.
In case you have issues with exploring the possibilities - please, let us know and share the config file which you stuck with.
Good luck,
Rafal
Comments (1)
This is my log :
<Event><EventTime>2020-12-10 13:31:57</EventTime><Hostname>PCNAME</Hostname><Keywords>-9214364837600034816</Keywords><EventType>AUDIT_SUCCESS</EventType><SeverityValue>2</SeverityValue><Severity>INFO</Severity><EventID>4648</EventID><SourceName>Microsoft-Windows-Security-Auditing</SourceName><ProviderGuid>{54849625-5478-4994-A5BA-3E3B0328C30D}</ProviderGuid><Version>0</Version><Task>12544</Task><OpcodeValue>0</OpcodeValue><RecordNumber>52818</RecordNumber><ActivityID>
This log it's ok, but all of this go to Message's Field
in SIEM Eventlog Type,Event Source,EventID, are blank. I want to redirect EventType to "Event Type" etc...
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
define MonitoredEventIds 4648, 4647
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension xml>
Module xm_xml
</Extension>
<Input eventlog>
Module im_msvistalog
Exec $Message = to_xml(); to_syslog_bsd();
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='Security'>*</Select>
</Query>
</QueryList>
</QueryXML>
Exec if $EventID NOT IN (%MonitoredEventIds%) drop();
</Input>
<Output out>
Module om_tcp
Host 10.0.2.50
Port 514
Exec $Message = replace($Message, "\r\n", " ");
Exec $Message = replace($Message, "\n", " ");
Exec $Message = replace($Message, "\t", " ");
Exec $Message = replace($Message, "#015", " ");
Exec $Message = replace($Message, "#011", " ");
</Output>
<Route eventlog_to_out>
Path eventlog => out
</Route>