Request trial
Request Trial

NXlog error with "Extended configuration example of security-focused event IDs to monitor" Nxlog configuration for Windows events

Tags:
#1 sejoneshull

Hi,

I am trying to test/deploy the "Extended configuration example of security-focused event IDs to monitor" NXlog configuration for Windows events, as per the article/NXlog conf file example here: https://nxlog.co/documentation/nxlog-user-guide/eventlog-eventids.html (Example 543). I am using NXLog CE (latest version) on Windows 2012R2.

Here's the NXlog.conf I have, using the above conf example and added to the usual NXLog conf needs:

# NXLog.conf

define ROOT C:\Program Files (x86)\nxlog
define OUTPUT_DESTINATION_ADDRESS   <REDACT IP>
define OUTPUT_DESTINATION_PORT 514


# define Account Usage Events
define AccountUsage        4740, 4648, 4781, 4733, 1518, 4776, 5376, 5377, \
                           4625, 300, 4634, 4672, 4720, 4722, 4782, 4793, \
                           4731, 4735, 4766, 4765, 4624, 1511, 4726, 4725, \
                           4767, 4728, 4732, 4756, 4704

# define Application Crash Events
define AppCrashes          1000, 1002, 1001

# define Application Whitelisting Events
define AppWhitelisting     8023, 8020, 8002, 8003, 8004, 8006, 8007, 4688, \
                           4689, 8005, 865, 866, 867, 868, 882

# define Boot Events
define BootEvents          13, 12

# define Certificate Services Events
define CertServices        95, 4886, 4890, 4874, 4873, 4870, 4887, 4885, \
                           4899, 4896, 1006, 1004, 1007, 1003, 1001, 1002

# define Clearing Event Logs Events
define ClearingLogs        1100, 104, 1102

# define DNS and Directory Services Events
define DNSDirectoryServ    5137, 5141, 5136, 5139, 5138, 3008, 3020

# define External Media Detection events
define ExtMedia            400, 410

# define Group Policy Error Events
define GroupPolicyError    112, 1001, 1125, 1126, 1127, 1129

# define Kernel Driver Signing Events
define KernelDriver        3001, 3002, 3003, 3004, 3010, 3023, 5038, \
                           6281, 219

# define Microsoft Cryptography API Events
define MSFTCryptoAPI       11, 70, 90

# define Mobile Device Activities
define MobileDeviceEvents  10000, 10001

# define Network Host Activities
define NetworkHost         4714, 4713, 4769, 6273, 6275, 6274, 6272, \
                           6278, 6277, 6279, 6276, 6280, 5140, 5145, \
                           5142, 5144, 4706, 1024, 4897, 4719, 4716, \
                           4779, 4778, 5632

# define PassTheHash Detection Events
define PassTheHash         4624, 4625

# define PowerShell Activities
define PowerShell          800, 169, 4103, 4104, 4105, 4106

# define Printing Services Events
define PrintingServices    307

# define Logon Events
define LogonEvents         4624, 4634

# define Software Service Installation Events
define Installation        903, 904, 6, 1022, 1033, 7045, 907, 908, 7000, \
                           800, 2, 905, 906, 19

# define System Integrity Events
define SystemIntegrity     4657, 1, 4616

# define System or Service Failure Events
define SystemServiceFail   7022, 7023, 7024, 7026, 7031, 7032, 7034

# define Task Scheduler Activities
define TaskScheduler       106, 141, 142, 200

# define Windows Defender Activities
define WinDefender         1008, 1006, 1116, 1010, 2003, 2001, 1009, 1118, \
                           1119, 1007, 1117, 3002, 2004, 1005, 5008

# define Windows Firewall Events
define WinFirewall         2009, 2004, 2005, 2006, 2033

# define Windows Update Error Events
define WinUpdateError      1009, 20, 24, 25, 31, 34, 35


Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log


<Extension json>
    Module      xm_json
</Extension>

<Extension syslog>
    Module      xm_syslog
</Extension>

<Input internal>
    Module      im_internal
</Input>

<Input extendedeventlog>
    Module      im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Application">*</Select>
                <Select Path="Security">*</Select>
                <Select Path="System">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Program-Inventory">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Program-Telemetry">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Steps-Recorder">*</Select>
                <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*</Select>
                <Select Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select>
                <Select Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">*</Select>
                <Select Path="Microsoft-Windows-AppLocker/Packaged app-Execution">*</Select>
                <Select Path="Microsoft-Windows-CAPI2/Operational">*</Select>
                <Select Path="Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational">*</Select>
                <Select Path="Microsoft-Windows-DNS-Client/Operational">*</Select>
                <Select Path="Microsoft-Windows-GroupPolicy/Operational">*</Select>
                <Select Path="Microsoft-Windows-Kernel-PnP/Configuration">*</Select>
                <Select Path="Microsoft-Windows-NetworkProfile/Operational">*</Select>
                <Select Path="Microsoft-Windows-NTLM/Operational">*</Select>
                <Select Path="Microsoft-Windows-PowerShell/Admin">*</Select>
                <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>
                <Select Path="Microsoft-Windows-PrintService/Admin">*</Select>
                <Select Path="Microsoft-Windows-PrintService/Operational">*</Select>
                <Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select>
                <Select Path="Microsoft-Windows-TerminalServices-RDPClient/Operational">*</Select>
                <Select Path="Microsoft-Windows-User Profile Service/Operational">*</Select>
                <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>
                <Select Path="Microsoft-Windows-Windows Defender/WHC">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose">*</Select>
                <Select Path="Network Isolation Operational">*</Select>
                <Select Path="Microsoft-Windows-WindowsUpdateClient/Operational">*</Select>
                <Select Path="Windows PowerShell">*</Select>
                <Select Path="Microsoft-Windows-CodeIntegrity/Operational">*[System[Provider[@Name='Microsoft-Windows-CodeIntegrity']]]</Select>
                <Select Path="Microsoft-Windows-LSA/Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    <Exec>
       if ($EventID NOT IN (%AccountUsage%)) and
          ($EventID NOT IN (%AppCrashes%)) and
          ($EventID NOT IN (%AppWhitelisting%)) and
          ($EventID NOT IN (%BootEvents%)) and
          ($EventID NOT IN (%CertServices%)) and
          ($EventID NOT IN (%ClearingLogs%)) and
          ($EventID NOT IN (%DNSDirectoryServ%)) and
          ($EventID NOT IN (%ExtMedia%)) and
          ($EventID NOT IN (%GroupPolicyError%)) and
          ($EventID NOT IN (%KernelDriver%)) and
          ($EventID NOT IN (%MSFTCryptoAPI%)) and
          ($EventID NOT IN (%MobileDeviceEvents%)) and
          ($EventID NOT IN (%NetworkHost%)) and
          ($EventID NOT IN (%PassTheHash%)) and
          ($EventID NOT IN (%PowerShell%)) and
          ($EventID NOT IN (%PrintingServices%)) and
          ($EventID NOT IN (%LogonEvents%)) and
          ($EventID NOT IN (%Installation%)) and
          ($EventID NOT IN (%SystemIntegrity%)) and
          ($EventID NOT IN (%SystemServiceFail%)) and
          ($EventID NOT IN (%TaskScheduler%)) and
          ($EventID NOT IN (%WinDefender%)) and
          ($EventID NOT IN (%WinFirewall%)) and
          ($EventID NOT IN (%WinUpdateError%)) drop();
    </Exec>
</Input>


# Output MS Event Log
<Output out_mseventlog_nxlog>
Module      om_udp
Host        %OUTPUT_DESTINATION_ADDRESS%
Port        %OUTPUT_DESTINATION_PORT%
Exec        $EventTime = integer($EventTime) / 1000000;
Exec        $Message = to_json(); to_syslog_bsd();
</Output>

# Route for MS eventlog logs:
<Route route_msevent_nxlog>
    Path	extendedeventlog => out_mseventlog_nxlog
</Route>

But this results in the following errors in the log:

2021-04-12 16:26:55 ERROR invalid keyword: TolerateQueryErrors at C:\Program Files (x86)\nxlog\conf\nxlog.conf:116 2021-04-12 16:26:55 ERROR module 'extendedeventlog' has configuration errors, not adding to route 'route_msevent_nxlog' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:201 2021-04-12 16:26:55 ERROR route route_msevent_nxlog is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:201 2021-04-12 16:26:55 WARNING no routes defined! 2021-04-12 16:26:55 WARNING not starting unused module internal 2021-04-12 16:26:55 WARNING not starting unused module extendedeventlog 2021-04-12 16:26:55 WARNING not starting unused module out_mseventlog_nxlog

If I remove 'TolerateQueryErrors', I get:

2021-04-12 17:42:04 INFO nxlog-ce-2.10.2150 started 2021-04-12 17:42:04 ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found. Check channel configuration.

Any obvious things for me to start checking/debugging this?

Thanks in advance!

Permalink
#2 sejoneshull
#1 sejoneshull
Hi, I am trying to test/deploy the "Extended configuration example of security-focused event IDs to monitor" NXlog configuration for Windows events, as per the article/NXlog conf file example here: https://nxlog.co/documentation/nxlog-user-guide/eventlog-eventids.html (Example 543). I am using NXLog CE (latest version) on Windows 2012R2. Here's the NXlog.conf I have, using the above conf example and added to the usual NXLog conf needs: # NXLog.conf define ROOT C:\Program Files (x86)\nxlog define OUTPUT_DESTINATION_ADDRESS <REDACT IP> define OUTPUT_DESTINATION_PORT 514 # define Account Usage Events define AccountUsage 4740, 4648, 4781, 4733, 1518, 4776, 5376, 5377, \ 4625, 300, 4634, 4672, 4720, 4722, 4782, 4793, \ 4731, 4735, 4766, 4765, 4624, 1511, 4726, 4725, \ 4767, 4728, 4732, 4756, 4704 # define Application Crash Events define AppCrashes 1000, 1002, 1001 # define Application Whitelisting Events define AppWhitelisting 8023, 8020, 8002, 8003, 8004, 8006, 8007, 4688, \ 4689, 8005, 865, 866, 867, 868, 882 # define Boot Events define BootEvents 13, 12 # define Certificate Services Events define CertServices 95, 4886, 4890, 4874, 4873, 4870, 4887, 4885, \ 4899, 4896, 1006, 1004, 1007, 1003, 1001, 1002 # define Clearing Event Logs Events define ClearingLogs 1100, 104, 1102 # define DNS and Directory Services Events define DNSDirectoryServ 5137, 5141, 5136, 5139, 5138, 3008, 3020 # define External Media Detection events define ExtMedia 400, 410 # define Group Policy Error Events define GroupPolicyError 112, 1001, 1125, 1126, 1127, 1129 # define Kernel Driver Signing Events define KernelDriver 3001, 3002, 3003, 3004, 3010, 3023, 5038, \ 6281, 219 # define Microsoft Cryptography API Events define MSFTCryptoAPI 11, 70, 90 # define Mobile Device Activities define MobileDeviceEvents 10000, 10001 # define Network Host Activities define NetworkHost 4714, 4713, 4769, 6273, 6275, 6274, 6272, \ 6278, 6277, 6279, 6276, 6280, 5140, 5145, \ 5142, 5144, 4706, 1024, 4897, 4719, 4716, \ 4779, 4778, 5632 # define PassTheHash Detection Events define PassTheHash 4624, 4625 # define PowerShell Activities define PowerShell 800, 169, 4103, 4104, 4105, 4106 # define Printing Services Events define PrintingServices 307 # define Logon Events define LogonEvents 4624, 4634 # define Software Service Installation Events define Installation 903, 904, 6, 1022, 1033, 7045, 907, 908, 7000, \ 800, 2, 905, 906, 19 # define System Integrity Events define SystemIntegrity 4657, 1, 4616 # define System or Service Failure Events define SystemServiceFail 7022, 7023, 7024, 7026, 7031, 7032, 7034 # define Task Scheduler Activities define TaskScheduler 106, 141, 142, 200 # define Windows Defender Activities define WinDefender 1008, 1006, 1116, 1010, 2003, 2001, 1009, 1118, \ 1119, 1007, 1117, 3002, 2004, 1005, 5008 # define Windows Firewall Events define WinFirewall 2009, 2004, 2005, 2006, 2033 # define Windows Update Error Events define WinUpdateError 1009, 20, 24, 25, 31, 34, 35 Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension json> Module xm_json </Extension> <Extension syslog> Module xm_syslog </Extension> <Input internal> Module im_internal </Input> <Input extendedeventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Application">*</Select> <Select Path="Security">*</Select> <Select Path="System">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Program-Inventory">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Program-Telemetry">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Steps-Recorder">*</Select> <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*</Select> <Select Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select> <Select Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">*</Select> <Select Path="Microsoft-Windows-AppLocker/Packaged app-Execution">*</Select> <Select Path="Microsoft-Windows-CAPI2/Operational">*</Select> <Select Path="Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational">*</Select> <Select Path="Microsoft-Windows-DNS-Client/Operational">*</Select> <Select Path="Microsoft-Windows-GroupPolicy/Operational">*</Select> <Select Path="Microsoft-Windows-Kernel-PnP/Configuration">*</Select> <Select Path="Microsoft-Windows-NetworkProfile/Operational">*</Select> <Select Path="Microsoft-Windows-NTLM/Operational">*</Select> <Select Path="Microsoft-Windows-PowerShell/Admin">*</Select> <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select> <Select Path="Microsoft-Windows-PrintService/Admin">*</Select> <Select Path="Microsoft-Windows-PrintService/Operational">*</Select> <Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select> <Select Path="Microsoft-Windows-TerminalServices-RDPClient/Operational">*</Select> <Select Path="Microsoft-Windows-User Profile Service/Operational">*</Select> <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select> <Select Path="Microsoft-Windows-Windows Defender/WHC">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose">*</Select> <Select Path="Network Isolation Operational">*</Select> <Select Path="Microsoft-Windows-WindowsUpdateClient/Operational">*</Select> <Select Path="Windows PowerShell">*</Select> <Select Path="Microsoft-Windows-CodeIntegrity/Operational">*[System[Provider[@Name='Microsoft-Windows-CodeIntegrity']]]</Select> <Select Path="Microsoft-Windows-LSA/Operational">*</Select> </Query> </QueryList> </QueryXML> <Exec> if ($EventID NOT IN (%AccountUsage%)) and ($EventID NOT IN (%AppCrashes%)) and ($EventID NOT IN (%AppWhitelisting%)) and ($EventID NOT IN (%BootEvents%)) and ($EventID NOT IN (%CertServices%)) and ($EventID NOT IN (%ClearingLogs%)) and ($EventID NOT IN (%DNSDirectoryServ%)) and ($EventID NOT IN (%ExtMedia%)) and ($EventID NOT IN (%GroupPolicyError%)) and ($EventID NOT IN (%KernelDriver%)) and ($EventID NOT IN (%MSFTCryptoAPI%)) and ($EventID NOT IN (%MobileDeviceEvents%)) and ($EventID NOT IN (%NetworkHost%)) and ($EventID NOT IN (%PassTheHash%)) and ($EventID NOT IN (%PowerShell%)) and ($EventID NOT IN (%PrintingServices%)) and ($EventID NOT IN (%LogonEvents%)) and ($EventID NOT IN (%Installation%)) and ($EventID NOT IN (%SystemIntegrity%)) and ($EventID NOT IN (%SystemServiceFail%)) and ($EventID NOT IN (%TaskScheduler%)) and ($EventID NOT IN (%WinDefender%)) and ($EventID NOT IN (%WinFirewall%)) and ($EventID NOT IN (%WinUpdateError%)) drop(); </Exec> </Input> # Output MS Event Log <Output out_mseventlog_nxlog> Module om_udp Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000000; Exec $Message = to_json(); to_syslog_bsd(); </Output> # Route for MS eventlog logs: <Route route_msevent_nxlog> Path extendedeventlog => out_mseventlog_nxlog </Route> But this results in the following errors in the log: 2021-04-12 16:26:55 ERROR invalid keyword: TolerateQueryErrors at C:\Program Files (x86)\nxlog\conf\nxlog.conf:116 2021-04-12 16:26:55 ERROR module 'extendedeventlog' has configuration errors, not adding to route 'route_msevent_nxlog' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:201 2021-04-12 16:26:55 ERROR route route_msevent_nxlog is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:201 2021-04-12 16:26:55 WARNING no routes defined! 2021-04-12 16:26:55 WARNING not starting unused module internal 2021-04-12 16:26:55 WARNING not starting unused module extendedeventlog 2021-04-12 16:26:55 WARNING not starting unused module out_mseventlog_nxlog If I remove 'TolerateQueryErrors', I get: 2021-04-12 17:42:04 INFO nxlog-ce-2.10.2150 started 2021-04-12 17:42:04 ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found. Check channel configuration. Any obvious things for me to start checking/debugging this? Thanks in advance!

I presume TolerateQueryErrors is confined to the Enterprise Edition, I presume I should be able to still use the extended logging on CE? Just need to identify the event channels it can't subscribe to.
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS