2
responses

I'm trying to collect EventID 4624 and 4634 for Logon Type 10, to store RDP access to my 2 Domain Controllers.

  • same Windows version (2012 R2)
  • same audit config in windows
  • same NXlog version installed (community edition)
  • same nxlog.conf file

My issue:

  • from DC 1 I'm getting both 4624 and 4634
  • from DC 2 I'm getting only 4634 :(

Additional info:

  • in windows Event Viewer I have my 4624 in DC2 ...
  • reinstalled nxlog
  • rebooted my DC
  • DEBUG level in nxlog but no evidence of problem

Thx a lot for your support, Benno

AskedFebruary 24, 2021 - 4:04pm

Comments (2)

  • seth.stenzel's picture
    (NXLog)

    Greetings,

    If it is working for one and not the other, that usually means it is not an issue with NXLog or the conf file.
    Can you share your sanitized configuration file and I can look it over?

    ~Seth S.

  • benno's picture

    Thx Seth, here is my nxlog.conf:

    define ROOT C:\Program Files (x86)\nxlog
    
    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data
    LogFile %ROOT%\data\nxlog.log
    
    <Extension _exec>
     Module xm_exec
    </Extension>
    
    <Extension _syslog>
     Module xm_syslog
    </Extension>
    
    <Input in>
     Module im_msvistalog
     Exec $Message = $Message + " EventID: " + $EventID + " AccountName: " + $AccountName + " Category: " + $Category + " Severity: " + $Severity + " EventType " + $EventType;
    </Input>
    
    <Input secin>
        Module      im_msvistalog
        Query <QueryList><Query Id="0"><Select Path="Security">*</Select></Query></QueryList>
    </Input>
    <Output secout>
        Module om_udp
        Host        nxlog_server1
        Port        6514 
        Exec $Hostname = hostname(); to_syslog_bsd();
    </Output>
    <Output out>
     Module om_udp
     Host nxlog_server2
     Port 514
     Exec $Hostname = hostname(); to_syslog_bsd();
    </Output>
    
    <Route 1>
     Path in => out
    </Route>
    
    <Route 2>
     Path secin => secout
    </Route>
    

Answers (0)