5
responses

So I'm working on moving our logging away from SolarWinds and into nxlog. We like to punt off our logs to Splunk so that our security department can create dashboards and such for the events they care about. I've just about got the output perfect, besides ONE random extra comma and I can't figure out where it's coming from.

Here is my config:

define ROOT C:\Program Files (x86)\nxlog

define CERTDIR %ROOT%\cert
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LOGFILE %ROOT%\data\nxlog.log
LogLevel INFO

<Extension syslog>
Module xm_syslog
</Extension>

define MonitoredEventIDs 1100, 1102, 1104, 4608, 4609, 4624, 4625, 4634, 4647, 4648, \
4656, 4658, 4659, 4660, 4661, 4662, 4663, 4664, 4670, 4672, \
4673, 4724, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4727, \
4728, 4729, 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4739, \
4740, 4766, 4767, 4768, 4776, 4781, 4801, 4825, 4907, 5136, \
5137, 5139, 5141, 5145, 6416, 13002, 13003, 18500, 18502, 307

<Input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Security">*</Select>
<Select Path="Microsoft-Windows-PrintService/Operational">*</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
if $EventID NOT IN (%MonitoredEventIDs%) drop();
</Exec>
</Input>

<Input GFI>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="GFI EndPointSecurity">*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>

<Output out>
Module om_udp
Host 10.1.0.1
Port 514
Exec to_syslog_snare();$raw_event = replace($raw_event, "\t", ",");
</Output>

<Route>
Path eventlog, GFI => out
</Route>

That creates this beautiful output in Splunk, except for the random extra comma before 'An account was logged off.' This single extra comma is throwing off the parsing of the logs that our customer receives and I need to get rid of it... Any advice?

Mar 1 21:58:26 mycomputer.com MSWinEventLog,1,Security,79,Mon Mar 01 14:58:26 2021,4634,Microsoft-Windows-Security-Auditing,N/A,N/A,Success Audit,mycomputer.com,Logoff,,An account was logged off. Subject: Security ID: S-1-5-21-2294171146-2094350030-1588952898-500 Account Name: pcgroup Account Domain: mycomputer Logon ID: 0x2D069A2F Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.,1023042

AskedMarch 1, 2021 - 11:05pm

Answer (1)

Hi,

have you checked what data are in the input? Are we sure that the resulting "," appears after parsing in the core?

Thanks,
Rafal

Comments (4)

  • boostcreep's picture

    Hey Raf, not sure I follow. The last paragraph has the output from splunk. You can see each item is separated by a comma besides one which has doubles.

  • raf's picture
    (NXLog)

    I was asking about the input data.

    In your config, you have this line:

    $raw_event = replace($raw_event, "\t", ",");
    

    which changes \t to ,. It looks like there might be additional \t in your troublesome cases from your GFI EndPointSecurity - could you confirm this?

    Best regards,
    Rafal

  • boostcreep's picture

    I'm using $raw_event = replace($raw_event, "\t", ","); to correct the issue where we see #011 in all of our logs. This seems to be something that's occurring when going through our syslog server. The output used to look like this:

    Mar 5 20:07:50 pcname MSWinEventLog#0112#011Security#011255616#011Fri Mar 05 13:07:44 2021#0114673#011Microsoft-Windows-Security-Auditing#011#011N/A#011Audit Failure#011pcname#01113056#011A privileged service was called.#015#012#015#012Subject:#015#012#011Security ID:#011#011S-1-5-21-3151560292-365660795-4085114248-1134#015#012#011Account Name:#011#011ddd123#015#012#011Account Domain:#011#011domain#015#012#011Logon ID:#011#0110x3E9C320B#015#012#015#012Service:#015#012#011Server:#011Security#015#012#011Service Name:#011-#015#012#015#012Process:#015#012#011Process ID:#0110x1680#015#012#011Process Name:#011C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe#015#012#015#012Service Request Information:#015#012#011Privileges:#011#011SeTcbPrivilege

    I actually don't have GFI on my machine so it's not logging any GFI events, but we do still have it on other machines in our environment so I have to keep it in the .conf.

    I did try to break them up into two separate outputs and routes, but that didn't seem to make a difference with the double comma.

    <Output out1>
    Module om_udp
    Host 10.1.0.1
    Port 514
    Exec to_syslog_snare();$raw_event = replace($raw_event, "\t", ",");
    </Output>

    <Output out2>
    Module om_udp
    Host 10.1.0.1
    Port 514
    Exec to_syslog_snare();$raw_event = replace($raw_event, "\t", ",");
    </Output>

    <Route>
    Path eventlog => out1
    </Route>

    <Route>
    Path GFI => out2
    </Route>

  • Nathan's picture
    (NXLog)

    If I'm unable to recreate this issue, would it be viable to create an additional exec statement in your outputs to replace both the tab character and then the replace double commas?