Request trial
Request Trial

Help with Windows Event Log and Queries.

Tags:
#1 edv

Windows Server 2019
NXLog: nxlog-ce 2.11.2190

Running the Community version to test /trial a SEIM platform (Enterprise will be acquired if the current PoC is selected).

From 132.4.2. Example monitoring configurations

I copied the code block in Example 644 into my nxlog.conf.

After a bit of frustration, I pulled the current Server 2019 EventLog item list via PS> Get-WinEvent -ListLog and found that there were a few updates /changes.

I made those changes and yet when I run nxlog, no logs are sent. Turning on DEBUG for LogLevel, I see:

ERROR [im_msvistalog.c:1320/im_msvistalog_start()] -; [im_msvistalog.c:1285/im_msvistalog_start()] failed to subscribe to msvistalog events,the Query is invalid: The operation completed successfully.;  [error code: 15001]

After a bit of web searching for this error (completely fruitless) and reviewing the code block again, I can't see anywhere that a non-existent EventLog is being Selected, nor any common "typo" errors.

Can anyone help me to figure out what "error code 15001" means and /or spot where I goofed in my nxlog.conf file?

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog-events.log
LogLevel DEBUG

#Load Extensions
<Extension _syslog>
    Module  xm_syslog
</Extension>

<Extension _exec>
    Module xm_exec
</Extension>

<Extension _json>
    Module  xm_json
</Extension>

<Extension _charconv>
    Module      xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

# define Account Usage Events
define AccountUsage             300, 1511, 1518, 4624, 4625, 4634, 4648, 4672, \
                                4704, 4720, 4722, 4725, 4726, 4728, 4731, 4732, \
                                4733, 4735, 4740, 4756, 4765, 4766, 4767, 4776, \
                                4781, 4782, 4793, 5376, 5377

# define Application Crash Events
define AppCrashes               1000, 1001, 1002

# define Application Whitelisting Events
define AppWhitelisting          865, 866, 867, 868, 882, 4688, 4689, 8002, \
                                8003, 8004, 8005, 8006, 8007, 8020, 8023

# define Boot Events
define BootEvents               12, 13

# define Certificate Services Events
define CertServices             95, 1001, 1002, 1003, 1004, 1006, 1007, 4870, \
                                4873, 4874, 4885, 4886, 4887, 4890, 4896, 4899

# define Clearing Event Logs Events
define ClearingLogs             104, 1100, 1102

# define DNS and Directory Services Events
define DNSDirectoryServ         3008, 3020, 5136, 5137, 5138, 5139, 5141

# define External Media Detection events
define ExtMedia                 400, 410

# define Group Policy Error Events
define GroupPolicyError         112, 1001, 1125, 1126, 1127, 1129

# define Software Service Installation Events
define Installation             2, 6, 19, 800, 903, 904, 905, 906, 907, 908, \
                                1022, 1033, 7000, 7045


# define Kernel Driver Signing Events
define KernelDriver             219, 3001, 3002, 3003, 3004, 3010, 3023, 5038, \
                                6281

# define Microsoft Cryptography API Events
define MSFTCryptoAPI            11, 70, 90

# define Mobile Device Activities
define MobileDeviceEvents       10000, 10001

# define Network Host Activities
define NetworkHost              1024, 4706, 4713, 4714, 4716, 4719, 4769, 4778, \
                                4779, 4897, 5140, 5142, 5144, 5145, 5632, 6272, \
                                6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280

# define PowerShell Activities
define PowerShell               169, 800, 4103, 4104, 4105, 4106

# define Printing Services Events
define PrintingServices         307

# define System Integrity Events
define SystemIntegrity          1, 2, 5, 8, 9, 4616, 4657

# define System or Service Failure Events
define SystemServiceFail        7022, 7023, 7024, 7026, 7031, 7032, 7034

# define Windows Defender Activities
define WinDefender              1005, 1006, 1007, 1008, 1009, 1010, 1116, 1117, \
                                1118, 1119, 2001, 2003, 2004, 3002, 5008

# define Windows Firewall Events
define WinFirewall              2005, 2006, 2009, 2033

# define Windows Update Error Events
define WinUpdateError           20, 25, 31, 34, 35

<Input Events>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Application">*</Select>
                <Select Path="Security">*</Select>
                <Select Path="System">*</Select>
                <Select Path="Windows PowerShell">*</Select>
                <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*</Select>
                <Select Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select>
                <Select Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">*</Select>
                <Select Path="Microsoft-Windows-AppLocker/Packaged app-Execution">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Program-Inventory">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Program-Telemetry">*</Select>
                <Select Path="Microsoft-Windows-Application-Experience/Steps-Recorder">*</Select>
                <Select PATH="Microsoft-Windows-Backup">*</Select>
                <Select Path="Microsoft-Windows-CAPI2/Operational">*</Select>
                <Select Path="Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational">*</Select>
                <Select Path="Microsoft-Windows-CodeIntegrity/Operational">*</Select>
                <Select Path="Microsoft-Windows-DNS-Client/Operational">*</Select>
                <Select Path="Microsoft-Windows-GroupPolicy/Operational">*</Select>
                <Select PATH="Microsoft-Windows-Kernel-IO/Operational">*</Select>
                <Select Path="Microsoft-Windows-Kernel-PnP/Configuration">*</Select>
                <Select Path="Microsoft-Windows-LSA/Operational">*</Select>
                <Select Path="Microsoft-Windows-NTLM/Operational">*</Select>
                <Select Path="Microsoft-Windows-NetworkProfile/Operational">*</Select>
                <Select Path="Microsoft-Windows-PowerShell/Admin">*</Select>
                <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>
                <Select Path="Microsoft-Windows-PrintService/Admin">*</Select>
                <Select Path="Microsoft-Windows-PrintService/Operational">*</Select>
                <Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select>
                <Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational">*</Select>
                <Select Path="Microsoft-Windows-Time-Service/Operational">*</Select>
                <Select Path="Microsoft-Windows-User Profile Service/Operational">*</Select>
                <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>
                <Select Path="Microsoft-Windows-Windows Defender/WHC">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose">*</Select>
                <Select Path="Microsoft-Windows-WindowsUpdateClient/Operational">*</Select>
                <Select Path="OpenSSH/Operational">*</Select>
                <Select Path="PowerShellCore/Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    <Exec>
      if    ($EventID NOT IN (%AccountUsage%)) and
            ($EventID NOT IN (%AppCrashes%)) and
            ($EventID NOT IN (%AppWhitelisting%)) and
            ($EventID NOT IN (%BootEvents%)) and
            ($EventID NOT IN (%CertServices%)) and
            ($EventID NOT IN (%ClearingLogs%)) and
            ($EventID NOT IN (%DNSDirectoryServ%)) and
            ($EventID NOT IN (%ExtMedia%)) and
            ($EventID NOT IN (%GroupPolicyError%)) and
            ($EventID NOT IN (%Installation%)) and
            ($EventID NOT IN (%KernelDriver%)) and
            ($EventID NOT IN (%MSFTCryptoAPI%)) and
            ($EventID NOT IN (%MobileDeviceEvents%)) and
            ($EventID NOT IN (%NetworkHost%)) and
            ($EventID NOT IN (%PowerShell%)) and
            ($EventID NOT IN (%PrintingServices%)) and
            ($EventID NOT IN (%SystemIntegrity%)) and
            ($EventID NOT IN (%SystemServiceFail%)) and
            ($EventID NOT IN (%WinDefender%)) and
            ($EventID NOT IN (%WinFirewall%)) and
            ($EventID NOT IN (%WinUpdateError%)) drop();

    </Exec>
</Input>

<Processor buffer>
    Module pm_buffer
    MaxSize 102400
    Type disk
</Processor>

<Output out>
    Module  om_tcp
    Host    0.0.0.0
    Port    514
    Exec    to_json(); $Message = $raw_event; to_syslog_ietf();
</Output>

<Route 1>
    Path Events => buffer => out
</Route>
Permalink
#2 rafDeactivated Nxlog ✓
#1 edv
Windows Server 2019 NXLog: nxlog-ce 2.11.2190 Running the Community version to test /trial a SEIM platform (Enterprise will be acquired if the current PoC is selected). From 132.4.2. Example monitoring configurations I copied the code block in Example 644 into my nxlog.conf. After a bit of frustration, I pulled the current Server 2019 EventLog item list via PS> Get-WinEvent -ListLog and found that there were a few updates /changes. I made those changes and yet when I run nxlog, no logs are sent. Turning on DEBUG for LogLevel, I see: ERROR [im_msvistalog.c:1320/im_msvistalog_start()] -; [im_msvistalog.c:1285/im_msvistalog_start()] failed to subscribe to msvistalog events,the Query is invalid: The operation completed successfully.; [error code: 15001] After a bit of web searching for this error (completely fruitless) and reviewing the code block again, I can't see anywhere that a non-existent EventLog is being Selected, nor any common "typo" errors. Can anyone help me to figure out what "error code 15001" means and /or spot where I goofed in my nxlog.conf file? define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog-events.log LogLevel DEBUG #Load Extensions <Extension _syslog> Module xm_syslog </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _json> Module xm_json </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> # define Account Usage Events define AccountUsage 300, 1511, 1518, 4624, 4625, 4634, 4648, 4672, \ 4704, 4720, 4722, 4725, 4726, 4728, 4731, 4732, \ 4733, 4735, 4740, 4756, 4765, 4766, 4767, 4776, \ 4781, 4782, 4793, 5376, 5377 # define Application Crash Events define AppCrashes 1000, 1001, 1002 # define Application Whitelisting Events define AppWhitelisting 865, 866, 867, 868, 882, 4688, 4689, 8002, \ 8003, 8004, 8005, 8006, 8007, 8020, 8023 # define Boot Events define BootEvents 12, 13 # define Certificate Services Events define CertServices 95, 1001, 1002, 1003, 1004, 1006, 1007, 4870, \ 4873, 4874, 4885, 4886, 4887, 4890, 4896, 4899 # define Clearing Event Logs Events define ClearingLogs 104, 1100, 1102 # define DNS and Directory Services Events define DNSDirectoryServ 3008, 3020, 5136, 5137, 5138, 5139, 5141 # define External Media Detection events define ExtMedia 400, 410 # define Group Policy Error Events define GroupPolicyError 112, 1001, 1125, 1126, 1127, 1129 # define Software Service Installation Events define Installation 2, 6, 19, 800, 903, 904, 905, 906, 907, 908, \ 1022, 1033, 7000, 7045 # define Kernel Driver Signing Events define KernelDriver 219, 3001, 3002, 3003, 3004, 3010, 3023, 5038, \ 6281 # define Microsoft Cryptography API Events define MSFTCryptoAPI 11, 70, 90 # define Mobile Device Activities define MobileDeviceEvents 10000, 10001 # define Network Host Activities define NetworkHost 1024, 4706, 4713, 4714, 4716, 4719, 4769, 4778, \ 4779, 4897, 5140, 5142, 5144, 5145, 5632, 6272, \ 6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280 # define PowerShell Activities define PowerShell 169, 800, 4103, 4104, 4105, 4106 # define Printing Services Events define PrintingServices 307 # define System Integrity Events define SystemIntegrity 1, 2, 5, 8, 9, 4616, 4657 # define System or Service Failure Events define SystemServiceFail 7022, 7023, 7024, 7026, 7031, 7032, 7034 # define Windows Defender Activities define WinDefender 1005, 1006, 1007, 1008, 1009, 1010, 1116, 1117, \ 1118, 1119, 2001, 2003, 2004, 3002, 5008 # define Windows Firewall Events define WinFirewall 2005, 2006, 2009, 2033 # define Windows Update Error Events define WinUpdateError 20, 25, 31, 34, 35 <Input Events> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Application">*</Select> <Select Path="Security">*</Select> <Select Path="System">*</Select> <Select Path="Windows PowerShell">*</Select> <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*</Select> <Select Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select> <Select Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">*</Select> <Select Path="Microsoft-Windows-AppLocker/Packaged app-Execution">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Program-Inventory">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Program-Telemetry">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Steps-Recorder">*</Select> <Select PATH="Microsoft-Windows-Backup">*</Select> <Select Path="Microsoft-Windows-CAPI2/Operational">*</Select> <Select Path="Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational">*</Select> <Select Path="Microsoft-Windows-CodeIntegrity/Operational">*</Select> <Select Path="Microsoft-Windows-DNS-Client/Operational">*</Select> <Select Path="Microsoft-Windows-GroupPolicy/Operational">*</Select> <Select PATH="Microsoft-Windows-Kernel-IO/Operational">*</Select> <Select Path="Microsoft-Windows-Kernel-PnP/Configuration">*</Select> <Select Path="Microsoft-Windows-LSA/Operational">*</Select> <Select Path="Microsoft-Windows-NTLM/Operational">*</Select> <Select Path="Microsoft-Windows-NetworkProfile/Operational">*</Select> <Select Path="Microsoft-Windows-PowerShell/Admin">*</Select> <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select> <Select Path="Microsoft-Windows-PrintService/Admin">*</Select> <Select Path="Microsoft-Windows-PrintService/Operational">*</Select> <Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select> <Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational">*</Select> <Select Path="Microsoft-Windows-Time-Service/Operational">*</Select> <Select Path="Microsoft-Windows-User Profile Service/Operational">*</Select> <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select> <Select Path="Microsoft-Windows-Windows Defender/WHC">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose">*</Select> <Select Path="Microsoft-Windows-WindowsUpdateClient/Operational">*</Select> <Select Path="OpenSSH/Operational">*</Select> <Select Path="PowerShellCore/Operational">*</Select> </Query> </QueryList> </QueryXML> <Exec> if ($EventID NOT IN (%AccountUsage%)) and ($EventID NOT IN (%AppCrashes%)) and ($EventID NOT IN (%AppWhitelisting%)) and ($EventID NOT IN (%BootEvents%)) and ($EventID NOT IN (%CertServices%)) and ($EventID NOT IN (%ClearingLogs%)) and ($EventID NOT IN (%DNSDirectoryServ%)) and ($EventID NOT IN (%ExtMedia%)) and ($EventID NOT IN (%GroupPolicyError%)) and ($EventID NOT IN (%Installation%)) and ($EventID NOT IN (%KernelDriver%)) and ($EventID NOT IN (%MSFTCryptoAPI%)) and ($EventID NOT IN (%MobileDeviceEvents%)) and ($EventID NOT IN (%NetworkHost%)) and ($EventID NOT IN (%PowerShell%)) and ($EventID NOT IN (%PrintingServices%)) and ($EventID NOT IN (%SystemIntegrity%)) and ($EventID NOT IN (%SystemServiceFail%)) and ($EventID NOT IN (%WinDefender%)) and ($EventID NOT IN (%WinFirewall%)) and ($EventID NOT IN (%WinUpdateError%)) drop(); </Exec> </Input> <Processor buffer> Module pm_buffer MaxSize 102400 Type disk </Processor> <Output out> Module om_tcp Host 0.0.0.0 Port 514 Exec to_json(); $Message = $raw_event; to_syslog_ietf(); </Output> <Route 1> Path Events => buffer => out </Route>

Hey,

Please note, that you're referring to NXLog Enterprise Edition documentation, while trying to run NXLog Community Edition. These two versions vary, and the configuration is not always 100% compatible, since CE is, basically, based on much older codebase.

If you're trying to build a PoC, I'd rather recommend requesting a free trial.. This can get you some help from presales engineers, and if you like the results of PoC - migration will be much smoother, since you'll avoid potential configuration issues. Noteworthy, NXLog EE is also much more powerful than the CE version.

Best regards,
Raf
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS