1
response

I am having trouble configuring NXlog Enterprise to forward Windows Event log in the original raw XML format that is shown in the XML View in Details Tab. The required data is:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Name="Microsoft-Windows-Security-Auditing"/>
        <EventID>4624</EventID>
        <Version>2</Version>
        <Level>Information</Level>
        <Task>Logon</Task>
        <Opcode>Info</Opcode>
        <Keywords>Audit Success</Keywords>
        <TimeCreated SystemTime="2022-09-15T07:25:38.254241000Z"/>
        <EventRecordID>6733</EventRecordID>
        <Correlation ActivityID="{9C53E768-C82B-0003-78E7-539C2BC8D801}"/>
        <Execution ProcessID="772" ThreadID="19980"/>
        <Channel>Security</Channel>
        <Computer>Redacted01</Computer>
        <Security/>
    </System>
    <EventData>
        <Data Name="SubjectUserSid">NT AUTHORITY\SYSTEM</Data>
        <Data Name="SubjectUserName">Redacted01$</Data>
        <Data Name="SubjectDomainName">WORKGROUP</Data>
        <Data Name="SubjectLogonId">0x3e7</Data>
        <Data Name="TargetUserSid">Redacted01\Redacted03</Data>
        <Data Name="TargetUserName">Redacted03</Data>
        <Data Name="TargetDomainName">Redacted01</Data>
        <Data Name="TargetLogonId">0x45b8d14</Data>
        <Data Name="LogonType">7</Data>
        <Data Name="LogonProcessName">User32 </Data>
        <Data Name="AuthenticationPackageName">Negotiate</Data>
        <Data Name="WorkstationName">Redacted01</Data>
        <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
        <Data Name="TransmittedServices">-</Data>
        <Data Name="LmPackageName">-</Data>
        <Data Name="KeyLength">0</Data>
        <Data Name="ProcessId">0x438</Data>
        <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
        <Data Name="IpAddress">Redacted02</Data>
        <Data Name="IpPort">0</Data>
        <Data Name="ImpersonationLevel">Impersonation</Data>
        <Data Name="RestrictedAdminMode">-</Data>
        <Data Name="TargetOutboundUserName">-</Data>
        <Data Name="TargetOutboundDomainName">-</Data>
        <Data Name="VirtualAccount">No</Data>
        <Data Name="TargetLinkedLogonId">0x0</Data>
        <Data Name="ElevatedToken">Yes</Data>
    </EventData>
</Event>

The data I am currently receiving is the informatio in the General Tab instead.

I have applied the following configuration to convert the data in XML format:

define ROOT C:\Program Files\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module xm_syslog
</Extension>

<Extension _json>
    Module xm_json
</Extension>

<Extension xml>
    Module xm_xml
</Extension>

<Input in_win>
    Module im_msvistalog
        Query <QueryList> \
            <Query Id="0"> \
                <Select Path="Application">*</Select> \
                <Select Path="System">*</Select> \
                <Select Path="Security">*</Select> \
            </Query> \
        </QueryList>
    Exec $Message=$EventXML;$log_type=$event_trace;to_xml();
</Input>

<Output out_win>
    Module om_udp
        Host 192.168.108.201:514
</Output>

<Route 2>
    Path in_win => out_win
</Route>

However, I am not able to get the desired output. The data I am currently receiving is:

09 15 2022 03:53:34 192.168.115.4 <USER:NOTE> <EventTime>2022-09-15 16:38:31</EventTime><Hostname>SOCJH-04.cryptogennepal.com</Hostname><Keywords>9232379236109516800</Keywords><EventType>AUDIT_SUCCESS</EventType><SeverityValue>2</SeverityValue><Severity>INFO</Severity><EventID>4624</EventID><SourceName>Microsoft-Windows-Security-Auditing</SourceName><ProviderGuid>{54849625-5478-4994-A5BA-3E3B0328C30D}</ProviderGuid><Version>2</Version><TaskValue>12544</TaskValue><OpcodeValue>0</OpcodeValue><RecordNumber>189928</RecordNumber><ExecutionProcessID>748</ExecutionProcessID><ExecutionThreadID>11540</ExecutionThreadID><Channel>Security</Channel><Message/><Category>Logon</Category><Opcode>Info</Opcode><SubjectUserSid>S-1-5-18</SubjectUserSid><SubjectUserName>SOCJH-04$</SubjectUserName><SubjectDomainName>CGN</SubjectDomainName><SubjectLogonId>0x3e7</SubjectLogonId><TargetUserSid>S-1-5-21-1983202128-2021996171-226450221-1105</TargetUserSid><TargetUserName>srijan.kafle</TargetUserName><TargetDomainName>CGN</TargetDomainName><TargetLogonId>0x1e170ee</TargetLogonId><LogonType>7</LogonType><LogonProcessName>Negotiat</LogonProcessName><AuthenticationPackageName>Negotiate</AuthenticationPackageName><WorkstationName>SOCJH-04</WorkstationName><LogonGuid>{4eaf9196-9215-5425-4e8c-729f74b2f1ce}</LogonGuid><TransmittedServices>-</TransmittedServices><LmPackageName>-</LmPackageName><KeyLength>0</KeyLength><ProcessId>0x2ec</ProcessId><ProcessName>C:\Windows\System32\lsass.exe</ProcessName><IpAddress>-</IpAddress><IpPort>-</IpPort><ImpersonationLevel>%%1833</ImpersonationLevel><RestrictedAdminMode>-</RestrictedAdminMode><TargetOutboundUserName>-</TargetOutboundUserName><TargetOutboundDomainName>-</TargetOutboundDomainName><VirtualAccount>%%1843</VirtualAccount><TargetLinkedLogonId>0x0</TargetLinkedLogonId><ElevatedToken>%%1843</ElevatedToken><EventReceivedTime>2022-09-15 16:38:33</EventReceivedTime><SourceModuleName>in_win</SourceModuleName><SourceModuleType>im_msvistalog</SourceModuleType><log_type/></Event>

Requesting assistance/documentation to achieve the desired log format

AskedSeptember 15, 2022 - 12:58pm

Answer (1)