#1 Antonio.Gonzalez2021 2 years ago

Hello there,

We are currently getting PowerShell transcript logs in one of our Windows WEF Collectors. Each log is been generated as a .txt file following the following naming convention: PowerShell_transcript.$deviceName.$RandownNumber.txt.

For example this is how the folder looks like: G:/PowerShell_logs/ PowerShell_transcript.device1.qww.txt PowerShell_transcript.device2.fgd.txt PowerShell_transcript.device3.hjj.txt

The issue I am having is that the content of each .txt file is arriving to the SIEM at one line at the time instead of arriving all the lines on the same event. This is the content of one of the PowerShell transcript file.

Windows PowerShell transcript start Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\temp\reset-password_1.2.ps1' Process ID: 19236 PSVersion: 5.1.18362.1714 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.18362.1714 BuildVersion: 10.0.18362.1714 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3

Windows PowerShell transcript end End time: 20210920120413

This is the "nxlog.conf" I am using:

Panic Soft #NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension syslog> Module xm_syslog </Extension>

<Input in> Module im_file File "G:\PowerShell_logs\PowerShell_transcript*.txt" </Input>

<Output out1> Module om_tcp Host SIEM-FDQN-domain.com Port 514

Exec to_syslog_bsd();

</Output>

#----------------------------------------------------------------------------------- END nxlog.conf------------------------------------------------------ The question is: How to configure the "nxlog.conf" so the entire content of each PowerShell_transcript.device1.qww.txt is been sent to the SIEM as one event and not multiples ones?

Permalink

#2 rafDeactivated Nxlog ✓ 2 years ago

#1 Antonio.Gonzalez2021

Hello there, We are currently getting PowerShell transcript logs in one of our Windows WEF Collectors. Each log is been generated as a .txt file following the following naming convention: PowerShell_transcript.$deviceName.$RandownNumber.txt. For example this is how the folder looks like: G:/PowerShell_logs/ PowerShell_transcript.device1.qww.txt PowerShell_transcript.device2.fgd.txt PowerShell_transcript.device3.hjj.txt The issue I am having is that the content of each .txt file is arriving to the SIEM at one line at the time instead of arriving all the lines on the same event. This is the content of one of the PowerShell transcript file. Windows PowerShell transcript start Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\temp\reset-password_1.2.ps1' Process ID: 19236 PSVersion: 5.1.18362.1714 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.18362.1714 BuildVersion: 10.0.18362.1714 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 Windows PowerShell transcript end End time: 20210920120413 This is the "nxlog.conf" I am using: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension syslog> Module xm_syslog </Extension> <Input in> Module im_file File "G:\PowerShell_logs\PowerShell_transcript*.txt" </Input> <Output out1> Module om_tcp Host SIEM-FDQN-domain.com Port 514 Exec to_syslog_bsd(); </Output> <Route 1> Path in => out1 </Route> #----------------------------------------------------------------------------------- END nxlog.conf------------------------------------------------------ The question is: How to configure the "nxlog.conf" so the entire content of each PowerShell_transcript.device1.qww.txt is been sent to the SIEM as one event and not multiples ones?

Hey Antonio,

I think xm_multiline module is some you may be interested in.
Please check documentation of xm_multiline.. You can also find some xm_multiline related questions and solution on this forum.

Good luck!
Rafal

How to forward PowerShell_transcript files to SIEM as syslog?

This is the "nxlog.conf" I am using:

Exec to_syslog_bsd();