1
response

Windows Server 2019
NXLog: nxlog-ce 2.11.2190

Running the Community version to test /trial a SEIM platform (Enterprise will be acquired if the current PoC is selected).

From 132.4.2. Example monitoring configurations

I copied the code block in Example 644 into my nxlog.conf.

After a bit of frustration, I pulled the current Server 2019 EventLog item list via PS> Get-WinEvent -ListLog and found that there were a few updates /changes.

I made those changes and yet when I run nxlog, no logs are sent. Turning on DEBUG for LogLevel, I see:

ERROR [im_msvistalog.c:1320/im_msvistalog_start()] -; [im_msvistalog.c:1285/im_msvistalog_start()] failed to subscribe to msvistalog events,the Query is invalid: The operation completed successfully.;  [error code: 15001]

After a bit of web searching for this error (completely fruitless) and reviewing the code block again, I can't see anywhere that a non-existent EventLog is being Selected, nor any common "typo" errors.

Can anyone help me to figure out what "error code 15001" means and /or spot where I goofed in my nxlog.conf file?

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog-events.log
LogLevel DEBUG

#Load Extensions
<Extension _syslog>
    Module  xm_syslog
</Extension>

<Extension _exec>
    Module xm_exec
</Extension>

<Extension _json>
    Module  xm_json
</Extension>

<Extension _charconv>
    Module      xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

# define Account Usage Events
define AccountUsage             300, 1511, 1518, 4624, 4625, 4634, 4648, 4672, \
                                4704, 4720, 4722, 4725, 4726, 4728, 4731, 4732, \
                                4733, 4735, 4740, 4756, 4765, 4766, 4767, 4776, \
                                4781, 4782, 4793, 5376, 5377

# define Application Crash Events
define AppCrashes               1000, 1001, 1002

# define Application Whitelisting Events
define AppWhitelisting          865, 866, 867, 868, 882, 4688, 4689, 8002, \
                                8003, 8004, 8005, 8006, 8007, 8020, 8023

# define Boot Events
define BootEvents               12, 13

# define Certificate Services Events
define CertServices             95, 1001, 1002, 1003, 1004, 1006, 1007, 4870, \
                                4873, 4874, 4885, 4886, 4887, 4890, 4896, 4899

# define Clearing Event Logs Events
define ClearingLogs             104, 1100, 1102

# define DNS and Directory Services Events
define DNSDirectoryServ         3008, 3020, 5136, 5137, 5138, 5139, 5141

# define External Media Detection events
define ExtMedia                 400, 410

# define Group Policy Error Events
define GroupPolicyError         112, 1001, 1125, 1126, 1127, 1129

# define Software Service Installation Events
define Installation             2, 6, 19, 800, 903, 904, 905, 906, 907, 908, \
                                1022, 1033, 7000, 7045


# define Kernel Driver Signing Events
define KernelDriver             219, 3001, 3002, 3003, 3004, 3010, 3023, 5038, \
                                6281

# define Microsoft Cryptography API Events
define MSFTCryptoAPI            11, 70, 90

# define Mobile Device Activities
define MobileDeviceEvents       10000, 10001

# define Network Host Activities
define NetworkHost              1024, 4706, 4713, 4714, 4716, 4719, 4769, 4778, \
                                4779, 4897, 5140, 5142, 5144, 5145, 5632, 6272, \
                                6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280

# define PowerShell Activities
define PowerShell               169, 800, 4103, 4104, 4105, 4106

# define Printing Services Events
define PrintingServices         307

# define System Integrity Events
define SystemIntegrity          1, 2, 5, 8, 9, 4616, 4657

# define System or Service Failure Events
define SystemServiceFail        7022, 7023, 7024, 7026, 7031, 7032, 7034

# define Windows Defender Activities
define WinDefender              1005, 1006, 1007, 1008, 1009, 1010, 1116, 1117, \
                                1118, 1119, 2001, 2003, 2004, 3002, 5008

# define Windows Firewall Events
define WinFirewall              2005, 2006, 2009, 2033

# define Windows Update Error Events
define WinUpdateError           20, 25, 31, 34, 35

<Input Events>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Application">*</Select>
                <Select Path="Security">*</Select>
                <Select Path="System">*</Select>
                <Select Path="Windows PowerShell">*</Select>
                <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*</Select>
                <Select Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select>
                <Select Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">*</Select>
                <Select Path="Microsoft-Windows-AppLocker/Packaged app-Execution">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Program-Inventory">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Program-Telemetry">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Steps-Recorder">*</Select>
                <Select PATH="Microsoft-Windows-Backup">*</Select>
                <Select Path="Microsoft-Windows-CAPI2/Operational">*</Select>
                <Select Path="Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational">*</Select>
                <Select Path="Microsoft-Windows-CodeIntegrity/Operational">*</Select>
                <Select Path="Microsoft-Windows-DNS-Client/Operational">*</Select>
                <Select Path="Microsoft-Windows-GroupPolicy/Operational">*</Select>
                <Select PATH="Microsoft-Windows-Kernel-IO/Operational">*</Select>
                <Select Path="Microsoft-Windows-Kernel-PnP/Configuration">*</Select>
                <Select Path="Microsoft-Windows-LSA/Operational">*</Select>
                <Select Path="Microsoft-Windows-NTLM/Operational">*</Select>
                <Select Path="Microsoft-Windows-NetworkProfile/Operational">*</Select>
                <Select Path="Microsoft-Windows-PowerShell/Admin">*</Select>
                <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>
                <Select Path="Microsoft-Windows-PrintService/Admin">*</Select>
                <Select Path="Microsoft-Windows-PrintService/Operational">*</Select>
                <Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select>
                <Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational">*</Select>
                <Select Path="Microsoft-Windows-Time-Service/Operational">*</Select>
                <Select Path="Microsoft-Windows-User Profile Service/Operational">*</Select>
                <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>
                <Select Path="Microsoft-Windows-Windows Defender/WHC">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose">*</Select>
                <Select Path="Microsoft-Windows-WindowsUpdateClient/Operational">*</Select>
                <Select Path="OpenSSH/Operational">*</Select>
                <Select Path="PowerShellCore/Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    <Exec>
      if    ($EventID NOT IN (%AccountUsage%)) and
            ($EventID NOT IN (%AppCrashes%)) and
            ($EventID NOT IN (%AppWhitelisting%)) and
            ($EventID NOT IN (%BootEvents%)) and
            ($EventID NOT IN (%CertServices%)) and
            ($EventID NOT IN (%ClearingLogs%)) and
            ($EventID NOT IN (%DNSDirectoryServ%)) and
            ($EventID NOT IN (%ExtMedia%)) and
            ($EventID NOT IN (%GroupPolicyError%)) and
            ($EventID NOT IN (%Installation%)) and
            ($EventID NOT IN (%KernelDriver%)) and
            ($EventID NOT IN (%MSFTCryptoAPI%)) and
            ($EventID NOT IN (%MobileDeviceEvents%)) and
            ($EventID NOT IN (%NetworkHost%)) and
            ($EventID NOT IN (%PowerShell%)) and
            ($EventID NOT IN (%PrintingServices%)) and
            ($EventID NOT IN (%SystemIntegrity%)) and
            ($EventID NOT IN (%SystemServiceFail%)) and
            ($EventID NOT IN (%WinDefender%)) and
            ($EventID NOT IN (%WinFirewall%)) and
            ($EventID NOT IN (%WinUpdateError%)) drop();

    </Exec>
</Input>

<Processor buffer>
    Module pm_buffer
    MaxSize 102400
    Type disk
</Processor>

<Output out>
    Module  om_tcp
    Host    0.0.0.0
    Port    514
    Exec    to_json(); $Message = $raw_event; to_syslog_ietf();
</Output>

<Route 1>
    Path Events => buffer => out
</Route>
AskedOctober 26, 2021 - 11:34pm

Answer (1)

Hey,

Please note, that you're referring to NXLog Enterprise Edition documentation, while trying to run NXLog Community Edition. These two versions vary, and the configuration is not always 100% compatible, since CE is, basically, based on much older codebase.

If you're trying to build a PoC, I'd rather recommend requesting a free trial.. This can get you some help from presales engineers, and if you like the results of PoC - migration will be much smoother, since you'll avoid potential configuration issues. Noteworthy, NXLog EE is also much more powerful than the CE version.

Best regards,
Raf