1
response

Hi, everyone.
I haven’t overcome the problem above.
Could anyone please share idea of ;
-The possible methods of determining the root cause of the problem
-The possible methods of overcoming this problem
As soon as you can, please!
Thank you.

<The problem>
When sending event logs from NXlog, a certain event log has never been sent to the windows log collection server.
E.g.
Event ID: 4624(Successful Logon)->Has not been sent
Event ID: 4634(Logout)->have been sent

<The methods already tested >
1.Debugging;
The following debug log was configured in order to test that target event log (ID: 4624) was recognized by NXlog.

Exec if ($EventID == 4624) log_info("EventID = 4624 | " + $EventID + " | " + $EventTime);

The test shows that the event log was recognized by NXlog, as it was output to NXlog as follows.

2021-05-14 19:22:17 INFO EventID = 4624 | 4624 | 2021-05-14 19:22:17

2. Explicit output of the target event log (ID4624);
The test shows that the expected event log has not been sent, though the following event logs were sent after specified event logs explicitly.

  #In Windows Event Log (Event ID:4624 or 4625)
  <Input In_eventlog_logon>
  Module im_msvistalog
Exec if ($EventID == 5156) drop();
Exec if ($EventID == 4624) log_info("EventID = 4624 | " + $EventID + " | " + $EventTime + " | " + $Hostname);
  <QueryXML>
<QueryList>
<Query Id='0'>
<Select Path="Security">*[System[(EventID=4624 or EventID=4625)]]</Select>
</Query>
</QueryList>
</QueryXML>
</Input>

AskedMay 20, 2021 - 6:40am

Answer (1)

The test shows that the expected event log has not been sent, though the following event logs were sent after specified event logs explicitly.

If it is visible in the log then I'm 100% sure that it is also sent. You can confirm this with wireshark or tcpdump. It's more likely that your SIEM or receiver is discarding these.