2
responses

Hi All,

i'm testing the possibility of forwarding windows security logs to SIEM. Seems all ok, but i'm not able to drop messages with some values.

For example we have some event with

$TargetUsername = DWM-"1to11" (example : DWM-1)
$TargetUsername = UMFD-"1to11" (example : UMFD-4)
$TargetUsername = pcname$ (example : HOSTNAME$)
$TargetUsername = Anonymous Access

I'm able to drop "Anonymous Access" with this command :

Exec if $TargetUserName == "Anonymous Access" drop();

but with the other events, i can't use

Exec if $TargetUserName == "UMFD" drop();

because the events are multiple like UMFD-1 UMFD-2 UMFD-3, or username with "$" at the end of the $TargetUserName Value

i have tried with this configuration but seems doesn't work

Exec if $TargetUserName =~ /UMFD/ drop();
Exec if $TargetUserName =~ /DWM/ drop();
Exec if $TargetUserName =~ /$/ drop();

Can you help me?

Thanks you

AskedJanuary 28, 2021 - 7:28pm

Comments (2)

  • manuel.munoz's picture
    (NXLog)

    Ivano,

    I think here you would need to escape the dollar symbol:

    Exec if $TargetUserName =~ /\$/ drop();

    Can you post here your config file?

  • IB_956097's picture

    define ROOT C:\\Program Files (x86)\\nxlog
    define ROOT_STRING C:\\Program Files (x86)\\nxlog
    define CERTDIR %ROOT%\\cert

    Moduledir %ROOT%\\modules
    CacheDir %ROOT%\\data
    Pidfile %ROOT%\\data\\nxlog.pid
    SpoolDir %ROOT%\\data
    LogFile %ROOT%\\data\\nxlog.log

    define MonitoredEventIds 528, 538, 4800, 4624, 4648, 4647

    <Extension _syslog>
    Module xm_syslog
    </Extension>

    <Extension json>
    Module xm_json
    </Extension>

    <Input eventlog>
    Module im_msvistalog
    <QueryXML>
    <QueryList>
    <Query Id='0'>
    <Select Path='Security'>*</Select>
    </Query>
    </QueryList>
    </QueryXML>
    Exec if $EventID NOT IN (%MonitoredEventIds%) drop();
    Exec if $TargetUserName == "SYSTEM" drop();
    Exec if $TargetUserName == "ACCESSO ANONIMO" drop();
    Exec if $TargetUserName == "SERVIZIO DI RETE" drop();
    Exec if $TargetUserName == "SERVIZIO LOCALE" drop();
    Exec if $TargetUserName =~ /DWM/ drop(); ----> doesn't work (not drop DWM-1 DMW-2 DWM-3)
    Exec if $TargetUserName =~ /UMFD/ drop(); ----> doesn't work (not drop UMFD-1 UMFD-2 ...)
    Exec if $TargetUserName =~ /$/ drop(); -----> seems to drop everything (all messages)
    </Input>

    <Output out>
    Module om_udp
    Host SERVERIP
    Port 514
    Exec to_json();
    </Output>

    <Route eventlog_to_out>
    Path eventlog => out
    </Route>

Answers (0)