Request trial
Request Trial

A certain windows event log has not been sent

Tags:
#1 AyakoFukumoto

Hi, everyone. I haven’t overcome the problem above. Could anyone please share idea of ; -The possible methods of determining the root cause of the problem -The possible methods of overcoming this problem As soon as you can, please! Thank you.

<The problem> When sending event logs from NXlog, a certain event log has never been sent to the windows log collection server. E.g. Event ID: 4624(Successful Logon)->Has not been sent Event ID: 4634(Logout)->have been sent

<The methods already tested > 1.Debugging; The following debug log was configured in order to test that target event log (ID: 4624) was recognized by NXlog.

Exec if ($EventID == 4624) log_info("EventID = 4624 | " + $EventID + " | " + $EventTime);

The test shows that the event log was recognized by NXlog, as it was output to NXlog as follows.

2021-05-14 19:22:17 INFO EventID = 4624 | 4624 | 2021-05-14 19:22:17

  1. Explicit output of the target event log (ID4624); The test shows that the expected event log has not been sent, though the following event logs were sent after specified event logs explicitly.

  #In Windows Event Log (Event ID:4624 or 4625)   <Input In_eventlog_logon>   Module im_msvistalog Exec if ($EventID == 5156) drop(); Exec if ($EventID == 4624) log_info("EventID = 4624 | " + $EventID + " | " + $EventTime + " | " + $Hostname);   <QueryXML> <QueryList> <Query Id='0'> <Select Path="Security">*[System[(EventID=4624 or EventID=4625)]]</Select> </Query> </QueryList> </QueryXML> </Input>

Permalink
#2 b0ti Nxlog ✓
#1 AyakoFukumoto
Hi, everyone. I haven’t overcome the problem above. Could anyone please share idea of ; -The possible methods of determining the root cause of the problem -The possible methods of overcoming this problem As soon as you can, please! Thank you. <The problem> When sending event logs from NXlog, a certain event log has never been sent to the windows log collection server. E.g. Event ID: 4624(Successful Logon)->Has not been sent Event ID: 4634(Logout)->have been sent <The methods already tested > 1.Debugging; The following debug log was configured in order to test that target event log (ID: 4624) was recognized by NXlog. Exec if ($EventID == 4624) log_info("EventID = 4624 | " + $EventID + " | " + $EventTime); The test shows that the event log was recognized by NXlog, as it was output to NXlog as follows. 2021-05-14 19:22:17 INFO EventID = 4624 | 4624 | 2021-05-14 19:22:17 Explicit output of the target event log (ID4624); The test shows that the expected event log has not been sent, though the following event logs were sent after specified event logs explicitly.   #In Windows Event Log (Event ID:4624 or 4625)   <Input In_eventlog_logon>   Module im_msvistalog Exec if ($EventID == 5156) drop(); Exec if ($EventID == 4624) log_info("EventID = 4624 | " + $EventID + " | " + $EventTime + " | " + $Hostname);   <QueryXML> <QueryList> <Query Id='0'> <Select Path="Security">*[System[(EventID=4624 or EventID=4625)]]</Select> </Query> </QueryList> </QueryXML> </Input>

The test shows that the expected event log has not been sent, though the following event logs were sent after specified event logs explicitly.

If it is visible in the log then I'm 100% sure that it is also sent. You can confirm this with wireshark or tcpdump. It's more likely that your SIEM or receiver is discarding these.
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS