2
responses

Hi,everyone.
I would appreciate if you could give me useful tips to clarify problem and collect event log (ID 4624) on the NX Log.
FYI, the configuration file is pasted below, as something may be wrong with a part of it.
IP address and port No. in the config, file were replaced intentionally.

<Background>
-Event logs such as ID 4624 and 4634 has been output to Security.evtx.
-Security log has been sent to Log Collection Sever by NxLog.
<Input In_MSEventlogs>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
</Input>

-Currently, a part of windows event log (ID 4624) has not been sent to the windows log collection server, while event log (ID 4634) has been sent.

-- nxlog.conf --

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension charconv>
Module xm_charconv
AutodetectCharsets UTF-8, UCS-2LE
</Extension>

# Load the json extension
<Extension json>
Module xm_json
</Extension>

<Input msdns>
Module im_file
File "C:\Windows\Sysnative\dns\dns.log"
ReadFromLast False
SavePos False
Exec $FileName = file_name();
Exec $Hostname = hostname_fqdn();
Exec $raw_event = "NXLOG|" + $Hostname + "|OFFBOX-MSDNS-TO-LCP|" + $FileName + "::::" + $raw_event;
</Input>

# Send the read log lines out to nxlog server
<Output out-msdns>
Module om_tcp
Host IP address of the Log server
Port DNS
OutputType LineBased
</Output>

# Build the route from nxlog on Windows to nxlog on server

<Extension _syslog>
Module xm_syslog
</Extension>

<Input In_PowerShell>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Windows PowerShell">*</Select>\
<Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>\
</Query>\
</QueryList>
# For windows 2003 and earlier use the following:
# Module im_mseventlog
</Input>

<Input In_MSEventlogs>
Module im_msvistalog
Exec if ($EventID == 5156) drop();
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
</Input>

<Output Out_MSEventlogs>
Module om_udp
Host IP address of the Log server
Port WEL
Exec to_syslog_snare();
</Output>

<Output Out_PowerShell>
Module om_udp
Host IP address of the Log server
Port PS
Exec to_syslog_snare();

Exec $raw_event = replace($raw_event, "MSWinEventLog", "PowerShell");
</Output>

<Route 1>
Path msdns => out-msdns
</Route>

<Route 2>
Path In_PowerShell => Out_PowerShell
</Route>

<Route 3>
Path In_MSEventlogs => Out_MSEventlogs
</Route>

AskedApril 28, 2021 - 8:36am

Answer (1)

Hello,

which version of NXLog do you use?

Have you confirmed that event with ID=4624 appears at all?

Could you check your config with slightly changed config:

<Input eventlog>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id='0'>
                <Select Path='Security'>*</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

and let me know if this helps?

Best regards,
Rafal

Comments (1)

  • AyakoFukumoto's picture

    Dear Rafal, thank you for your kind support. It’s very helpful.
    Could you please help me a bit more?

    1.About your comment; > Have you confirmed that event with ID=4624 appears at all?
    Please let me make sure the meaning of your question above.
    Are you suggesting that I should create configuration such as " <Exec if ($EventID == 4624)>" for confirming whether the event log was sent?
    If that’s the case, what kind of configurations should I create for event log ID: 4624 and for other event logs respectively?
    I would appreciate if you could share the sample configuration of them.

    2.About outputting debug log:
    Is the following configuration effective for outputting debug log to the NXlog?
    I want to confirm whether event log (ID:4624) is recognized by NxLog.  
    Exec if ($EventID == 4624) log_info("EventID = 4624");  
    Exec if ($EventID == 4625) log_info("EventID = 4625");

    3.About PlanB:
    I have tried configuration which you suggested before, but it didn’t work unfortunately.
    Could you share your another idea if possible?
    I am also wondering whether the following configuration is right, or another configuration for" <Select Path='Security'>*</Select>" ought to have been created independently.

    ` #In Windows Event Log
    <Input In_eventlog>
    Module im_msvistalog
    Exec if ($EventID == 5156) drop();
    <QueryXML>
    <QueryList>
    <Query Id='0'>
    <Select Path='Security'>*</Select>
    <Select Path="Application">*</Select>
    <Select Path="System">*</Select>
    </Query>
    </QueryList>
    </QueryXML>
    </Input>`

    Best Regards,
    Ayako