1
response

Hello there,

We are currently getting PowerShell transcript logs in one of our Windows WEF Collectors. Each log is been generated as a .txt file following the following naming convention: PowerShell_transcript.$deviceName.$RandownNumber.txt.

For example this is how the folder looks like:
G:/PowerShell_logs/
PowerShell_transcript.device1.qww.txt
PowerShell_transcript.device2.fgd.txt
PowerShell_transcript.device3.hjj.txt

The issue I am having is that the content of each .txt file is arriving to the SIEM at one line at the time instead of arriving all the lines on the same event.
This is the content of one of the PowerShell transcript file.
**********************
Windows PowerShell transcript start
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\temp\reset-password_1.2.ps1'
Process ID: 19236
PSVersion: 5.1.18362.1714
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.18362.1714
BuildVersion: 10.0.18362.1714
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3

**********************
Windows PowerShell transcript end
End time: 20210920120413
**********************

----------------------------------------------------------------------------------------------------------
This is the "nxlog.conf" I am using:
----------------------------------------------------------------------------------------------------------

Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

<Extension syslog>
Module xm_syslog
</Extension>

<Input in>
Module im_file
File "G:\\PowerShell_logs\\PowerShell_transcript*.txt"
</Input>

<Output out1>
Module om_tcp
Host SIEM-FDQN-domain.com
Port 514
# Exec to_syslog_bsd();
</Output>

<Route 1>
Path in => out1
</Route>

#----------------------------------------------------------------------------------- END nxlog.conf------------------------------------------------------
The question is:
How to configure the "nxlog.conf" so the entire content of each PowerShell_transcript.device1.qww.txt is been sent to the SIEM as one event and not multiples ones?

AskedSeptember 20, 2021 - 6:24pm

Answer (1)