How to forward the raw XML for Windows logs
Tags:
#1
ryanswj
Hello there! I was wondering how one can forward the raw XML events (open Event Viewer, double click an event, click Details, then XML View) from the Windows Event Log to a SIEM/log file using nxlog EE.
Currently, if I don't specify any options, it ends up in a log format that isn't XML, and if I use
Exec $Message = to_xml(); to_syslog_bsd();
then I get an XML that isn't formatted the same way as the Windows Event XML, which confuses the SIEM.
Thank you!
As an aside, this is what I want:
7036
0
4
0
0
0x8080000000000000
718
System
Lab-NXServer
Client License Service (ClipSVC)
running
43006C00690070005300560043002F0034000000
#1
ryanswj
Hello there! I was wondering how one can forward the raw XML events (open Event Viewer, double click an event, click Details, then XML View) from the Windows Event Log to a SIEM/log file using nxlog EE.
Currently, if I don't specify any options, it ends up in a log format that isn't XML, and if I use
Exec $Message = to_xml(); to_syslog_bsd();
then I get an XML that isn't formatted the same way as the Windows Event XML, which confuses the SIEM.
Thank you!
As an aside, this is what I want:
7036
0
4
0
0
0x8080000000000000
718
System
Lab-NXServer
Client License Service (ClipSVC)
running
43006C00690070005300560043002F0034000000
You should be able to use only to_xml() to forward the logs to your SIEM, have you tried this and if so does it work, or is it being parsed differently by the SIEM?
