2
responses

Initiated a 30-day trial today to test what I had thought would be a fairly straightforward use case.

The following config works fine to forward Windows events from the local machine via syslog, but when I add the File directive for im_msvistalog to the Input module section the events in the file are not forwarded over syslog. The file is correctly formatted and can be read via the event viewer. I also tested writing the contents of the file to a local json file as-per examples in the documentation, that worked fine as well.

The file is publicly available at: https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_sysmon-3-rdp-tun.evtx

Here are the contents of the config file:

NoCache True
define LOGHOST 192.168.xxx.xxx

<Extension syslog>
Module xm_syslog
</Extension>

<Input event_in>
Module im_msvistalog
File C:\Program Files\nxlog\logs\test_log.evtx
Exec $Hostname = hostname();
</Input>

<Output tcp_out>
Module om_tcp
Host %LOGHOST%:514
Exec to_syslog_snare();
</Output>

<Route 1>
Path event_in => tcp_out
</Route>

AskedFebruary 16, 2022 - 2:26am

Answer (1)

Hi,

The im_msvistalog is responsible of log collection from the Windows Events, but no file input is allowed in the module. For that you need to use the im_file with the path of the input file. Since these are two separated modules, they need to be defined independently, and you can add both to the same route at the end of the configuration. Please try to change the configuration to something like this:

NoCache True
define LOGHOST 192.168.xxx.xxx

<Extension syslog>
Module xm_syslog
</Extension>

<Input event_in>
Module im_msvistalog
SavePos TRUE
ReadFromLast TRUE
Exec $Hostname = hostname();
</Input>

<Input file_in>
Module im_file
File C:\Program Files\nxlog\logs\test_log.evtx
InputType LineBased
SavePos TRUE
Exec $Hostname = hostname();
</Input>

<Output tcp_out>
Module om_tcp
Host %LOGHOST%:514
Exec to_syslog_snare();
</Output>

<Route 1>
Path event_in, file_in => tcp_out
</Route>

Comments (1)

  • jprad's picture

    Gabor,

    Thank you, but as-per the following documentation, the im_msvistalog input module supports a File directive in the EE of nxlog: https://nxlog.co/documentation/nxlog-user-guide/im_msvistalog.html

    "The File directive can be specified multiple times to read from multiple files. This module finds files only when the module instance is started; any files added later will not be read until it is restarted. If the log file specified by this directive is updated with new event records while NXLog is running (the file size or modification date attribute changes), the module detects the newly appended records on the fly without requiring the module instance to be restarted. Reading a Windows Event Log file directly is mostly useful for forensics purposes. The System log would be read directly with the following:"