(SID resolved) WEC on Linux: uid_to_name() returns null

raf

Hello Roman,

Could you share your conf file with us?
Which version fo NXLog agent are you using?

Best regards,
Rafal

AnsweredMay 3, 2021 - 12:14pm

Roman_Andreev
Leave a comment
NXlog version: nxlog-5.3.6758_rhel7_x86_64
NXlog conf (example):

#################################
define FQDN_WEC nxlog-linux.local

<Input wseventin>
Module im_wseventing
Address http://%FQDN_WEC%:5985/wsman
ListenAddr 0.0.0.0
Port 5985
<QueryXML>
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*</Select>
<Select Path="Security">*</Select>
<Select Path="Setup">*</Select>
<Select Path="System">*</Select>
<Select Path="ForwardedEvents">*</Select>
<Select Path="Windows PowerShell">*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>

<Extension _resolver>
Module xm_resolver
</Extension>

<Processor winrewrites>
Module pm_null
LogqueueSize 100000
<Exec>
$SubjectUserSidRSLVD = uid_to_name($SubjectUserSid);
</Exec>
</Processor>

<Output syslog>
Module om_tcp
Host 1.1.1.1:514
LogqueueSize 1000000
<Exec>
$Hostname = lc($Hostname);
</Exec>
</Output>

<Route win>
Path wseventin => winrewrites => syslog
</Route>

###################################

May 7, 2021 - 9:54pm

You are here