Return to
Portfolio

97.2. Collecting Event Log Data

This section lists and discusses the NXLog modules that can be used to collect Windows Event Log data.

97.2.1. NXLog Modules for Windows Event Log

NXLog provides four modules for capturing Windows Event Log data.

  • The im_msvistalog module is available on Windows only, and captures event log data from Windows 2008/Vista and later. It can be configured to collect event log data from the local system or from a remote system via MSRPC (MSRPC is supported by NXLog Enterprise Edition only). See Local Collection With im_msvistalog and Remote Collection With im_msvistalog.

  • The im_wseventing module is available on both Linux and Windows (NXLog Enterprise Edition only). With it, event log data can be received from remote Windows systems using Windows Event Forwarding. This is the recommended module for most cases where remote capturing is required, because it is not necessary to specify each host that EventLog data will be captured from. See Remote Collection With im_wseventing.

  • The im_wmi module is available on Linux only (NXLog Enterprise Edition only). It can be used to accept event log data remotely over Windows Management Instrumentation (WMI). See Remote Collection With im_wmi.

  • The im_mseventlog module is available on Windows only, and captures event log data locally from Windows XP, Windows 2000, and Windows 2003. See Local Collection With im_mseventlog.

The Forwarding Event Log Data section gives examples for sending the captured event log data to a remote agent in BSD Syslog, JSON, or Snare formats.

For information and examples about filtering the Windows Event Log data, see the Sysmon Filtering Sysmon Events section.

97.2.2. Local Collection With im_msvistalog

The im_msvistalog module can capture EventLog data from the local system running Windows 2008/Vista or later.

Note
Because the Windows Event Log subsystem does not support subscriptions to the Debug and Analytic channels, these types of events can not be collected with the im_msvistalog module.
Example 401. Collecting EventLog Locally From Windows 2008/Vista or Later

In this example, NXLog reads all events from the local Windows EventLog. The data is converted to JSON format and written to a local file.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
10
11
12
13
<Extension _json>
    Module  xm_json
</Extension>

<Input eventlog>
    Module  im_msvistalog
</Input>

<Output file>
    Module  om_file
    File    'C:\test\sysmon.json'
    Exec    to_json();
</Output>

The im_msvistalog module can be configured with the Query directive (or the QueryXML directive) to collect only the required EventLog data.

Example 402. Querying a Subset of EventLog Data

Here, NXLog queries the local Windows EventLog for operational events only.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
10
<Input in>
    Module    im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

This query collects System channel events with levels from 0 to 3.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
10
<Input in>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path='System'>*[System/Level&lt;4]</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

97.2.3. Remote Collection With im_msvistalog

NXLog Enterprise Edition can be configured with the im_msvistalog module for collection of events generated on remote Windows systems. In this mode, it is not necessary to run an NXLog agent on the Windows systems. Instead, MSRPC is used to receive the events.

Note
Because the Windows EventLog subsystem does not support subscriptions to the Debug and Analytic channels, these types of events can not be collected with the im_msvistalog module.
Example 403. Receiving EventLog Data over MSRPC

In this example configuration, the im_msvistalog module is used to get events from a remote server named mywindowsbox using MSRPC.

To replicate this example in your environment, modify the RemoteServer, RemoteUser, RemoteDomain, and RemotePassword to reflect the access credentials for the target machine.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<Input in>
    Module          im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id='1'>
                <Select Path='Application'>*</Select>
                <Select Path='Security'>*[System/Level=4]</Select>
                <Select Path='System'>*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    RemoteServer   mywindowsbox
    RemoteUser     Administrator
    RemoteDomain   Workgroup
    RemotePassword secret
</Input>

97.2.4. Local Collection With im_mseventlog

The im_mseventlog module can capture EventLog data from Windows XP, Windows 2000, and Windows 2003.

The module looks up the available EventLog sources stored under the registry key SYSTEM\CurrentControlSet\Services\Eventlog, and polls logs from each of these or only the sources defined with the Sources directive of the NXLog configuration.

Example 404. Forwarding EventLog Data from Windows to a Remote Host

This example shows the most basic configuration of the im_mseventlog module. This configuration forwards all EventLog sources listed in the Windows registry over the network to a remote NXLog instance at the IP address 192.168.1.1.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
<Input eventlog>
    Module  im_mseventlog
</Input>

<Output tcp>
    Module  om_tcp
    Host    192.168.1.1
    Port    514
</Output>

97.2.5. Remote Collection With im_wseventing

NXLog Enterprise Edition can use the im_wseventing module to receive Windows EventLog data from remote machines over WEF (Windows Event Forwarding). It works on both Windows and Linux hosts.

Example 405. Receiving Windows EventLog Data using the im_wseventing Module

This configuration receives data from all source computers, by listening on port 5985 for connections from all sources. It also shows a configured HTTPS certificate, used to secure the transfer of EventLog data.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<Input in>
    Module           im_wseventing
    ListenAddr       0.0.0.0
    Port             5985
    Address          https://linux.corp.domain.com:5985/wsman
    HTTPSCertFile    %CERTDIR%/server-cert.pem
    HTTPSCertKeyFile %CERTDIR%/server-key.pem
    HTTPSCAFile      %CERTDIR%/ca.pem
    <QueryXML>
        <QueryList>
            <Query Id="0" Path="Application">
                <Select Path="Application">*</Select>
                <Select Path="Microsoft-Windows-Winsock-AFD/Operational">*</Select>
                <Select Path="Microsoft-Windows-Wired-AutoConfig/Operational">
                    *
                </Select>
                <Select Path="Microsoft-Windows-Wordpad/Admin">*</Select>
                <Select Path="Windows PowerShell">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

A query for specific hosts can be set by adding an additional QueryXML block with a <Computer> tag. This tag contains a pattern that NXLog matches against the name of the connecting Windows client. Computer names not matching the pattern will use the default QueryXML block (containing no <Computer> tag). The following QueryXML block, if added to the above configuration, would provide an alternate query for computer names matching the pattern foo*.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
<QueryXML>
    <QueryList>
        <Computer>foo*</Computer>
        <Query Id="0" Path="Application">
            <Select Path="Application">*</Select>
        </Query>
    </QueryList>
</QueryXML>

97.2.6. Remote Collection With im_wmi

The im_wmi module, available in NXLog Enterprise Edition, can be used on a system running Linux to receive EventLog data from a Windows system remotely.

Note
Fields from EventData are not transferred when using the im_wmi module, because Windows Management Instrumentation only provides mappings for the old-style EventLog structure (the Win32_NTLogEvent class).
Note
The im_wmi module offers lower performance than other approaches such as im_wseventing.
Example 406. Receiving Windows Event Log Data on Linux With im_wmi

With this configuration, NXLog will connect to 10.0.2.42 and log in as Administrator to collect Windows Event Log data.

nxlog.conf [Download file]
1
2
3
4
5
6
7
<Input in>
    Module      im_wmi
    Host        10.0.2.42
    Username    Administrator
    Password    secret
    Domain      WORKGROUP
</Input>