Windows event log(ID 4624) has not been sent to the windows log collection server
Hi,everyone. I would appreciate if you could give me useful tips to clarify problem and collect event log (ID 4624) on the NX Log. FYI, the configuration file is pasted below, as something may be wrong with a part of it. IP address and port No. in the config, file were replaced intentionally.
<Background>
-Event logs such as ID 4624 and 4634 has been output to Security.evtx.
-Security log has been sent to Log Collection Sever by NxLog.
<Input In_MSEventlogs>
Module im_msvistalog
Query <QueryList>
<Query Id="0">
<Select Path="Application"></Select>
<Select Path="System"></Select>
<Select Path="Security">*</Select>
</Query>
</QueryList>
</Input>
-Currently, a part of windows event log (ID 4624) has not been sent to the windows log collection server, while event log (ID 4634) has been sent.
-- nxlog.conf --
This is a sample configuration file. See the nxlog reference manual about the
configuration options. It should be installed locally and is also available
online at http://nxlog.org/docs/
Please set the ROOT to the folder your nxlog was installed into,
otherwise it will not start.
#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log
<Extension charconv> Module xm_charconv AutodetectCharsets UTF-8, UCS-2LE </Extension>
Load the json extension
<Extension json> Module xm_json </Extension>
<Input msdns> Module im_file File "C:\Windows\Sysnative\dns\dns.log" ReadFromLast False SavePos False Exec $FileName = file_name(); Exec $Hostname = hostname_fqdn(); Exec $raw_event = "NXLOG|" + $Hostname + "|OFFBOX-MSDNS-TO-LCP|" + $FileName + "::::" + $raw_event; </Input>
Send the read log lines out to nxlog server
<Output out-msdns> Module om_tcp Host IP address of the Log server Port DNS OutputType LineBased </Output>
Build the route from nxlog on Windows to nxlog on server
<Extension _syslog> Module xm_syslog </Extension>
<Input In_PowerShell>
Module im_msvistalog
Query <QueryList>
<Query Id="0">
<Select Path="Windows PowerShell"></Select>
<Select Path="Microsoft-Windows-PowerShell/Operational"></Select>
</Query>
</QueryList>
For windows 2003 and earlier use the following:
Module im_mseventlog
</Input>
<Input In_MSEventlogs>
Module im_msvistalog
Exec if ($EventID == 5156) drop();
Query <QueryList>
<Query Id="0">
<Select Path="Application"></Select>
<Select Path="System"></Select>
<Select Path="Security">*</Select>
</Query>
</QueryList>
</Input>
<Output Out_MSEventlogs> Module om_udp Host IP address of the Log server Port WEL Exec to_syslog_snare(); </Output>
<Output Out_PowerShell> Module om_udp Host IP address of the Log server Port PS Exec to_syslog_snare();
Exec $raw_event = replace($raw_event, "MSWinEventLog", "PowerShell"); </Output>
<Route 1> Path msdns => out-msdns </Route>
<Route 2> Path In_PowerShell => Out_PowerShell </Route>
<Route 3> Path In_MSEventlogs => Out_MSEventlogs </Route>
Hello,
which version of NXLog do you use?
Have you confirmed that event with ID=4624 appears at all?
Could you check your config with slightly changed config:
<Input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='Security'>*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
and let me know if this helps?
Best regards,
Rafal
