97.2. Collecting Event Log Data
This section lists and discusses the NXLog modules that can be used to collect Windows Event Log data.
97.2.1. NXLog Modules for Windows Event Log
NXLog provides four modules for capturing Windows Event Log data.
-
The im_msvistalog module is available on Windows only, and captures event log data from Windows 2008/Vista and later. It can be configured to collect event log data from the local system or from a remote system via MSRPC (MSRPC is supported by NXLog Enterprise Edition only). See Local Collection With im_msvistalog and Remote Collection With im_msvistalog.
-
The im_wseventing module is available on both Linux and Windows (NXLog Enterprise Edition only). With it, event log data can be received from remote Windows systems using Windows Event Forwarding. This is the recommended module for most cases where remote capturing is required, because it is not necessary to specify each host that EventLog data will be captured from. See Remote Collection With im_wseventing.
-
The im_wmi module is available on Linux only (NXLog Enterprise Edition only). It can be used to accept event log data remotely over Windows Management Instrumentation (WMI). See Remote Collection With im_wmi.
-
The im_mseventlog module is available on Windows only, and captures event log data locally from Windows XP, Windows 2000, and Windows 2003. See Local Collection With im_mseventlog.
The Forwarding Event Log Data section gives examples for sending the captured event log data to a remote agent in BSD Syslog, JSON, or Snare formats.
For information and examples about filtering the Windows Event Log data, see the Sysmon Filtering Sysmon Events section.
97.2.2. Local Collection With im_msvistalog
The im_msvistalog module can capture EventLog data from the local system running Windows 2008/Vista or later.
|
Note
|
Because the Windows Event Log subsystem does not support subscriptions to the Debug and Analytic channels, these types of events can not be collected with the im_msvistalog module. |
In this example, NXLog reads all events from the local Windows EventLog. The data is converted to JSON format and written to a local file.
![[Download file]](images/icons/download_icon.png "Download file"){kind=icon}
1
2
3
4
5
6
7
8
9
10
11
12
13
<Extension _json>
Module xm_json
</Extension>
<Input eventlog>
Module im_msvistalog
</Input>
<Output file>
Module om_file
File 'C:\test\sysmon.json'
Exec to_json();
</Output>
The im_msvistalog module can be configured with the Query directive (or the QueryXML directive) to collect only the required EventLog data.
Here, NXLog queries the local Windows EventLog for operational events only.
1
2
3
4
5
6
7
8
9
10
<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
This query collects System channel events with levels from 0 to 3.
1
2
3
4
5
6
7
8
9
10
<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path='System'>*[System/Level<4]</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
97.2.3. Remote Collection With im_msvistalog
NXLog Enterprise Edition can be configured with the im_msvistalog module for collection of events generated on remote Windows systems. In this mode, it is not necessary to run an NXLog agent on the Windows systems. Instead, MSRPC is used to receive the events.
|
Note
|
Because the Windows EventLog subsystem does not support subscriptions to the Debug and Analytic channels, these types of events can not be collected with the im_msvistalog module. |
In this example configuration, the im_msvistalog
module is used to get events from a remote server named mywindowsbox
using MSRPC.
To replicate this example in your environment, modify the
RemoteServer, RemoteUser, RemoteDomain, and RemotePassword to
reflect the access credentials for the target machine.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='1'>
<Select Path='Application'>*</Select>
<Select Path='Security'>*[System/Level=4]</Select>
<Select Path='System'>*</Select>
</Query>
</QueryList>
</QueryXML>
RemoteServer mywindowsbox
RemoteUser Administrator
RemoteDomain Workgroup
RemotePassword secret
</Input>
97.2.4. Local Collection With im_mseventlog
The im_mseventlog module can capture EventLog data from Windows XP, Windows 2000, and Windows 2003.
The module looks up the available EventLog sources stored under the
registry key SYSTEM\CurrentControlSet\Services\Eventlog, and polls
logs from each of these or only the sources defined with the Sources
directive of the NXLog configuration.
This example shows the most basic configuration of the
im_mseventlog module. This configuration forwards
all EventLog sources listed in the Windows registry over the network
to a remote NXLog instance at the IP address 192.168.1.1.
1
2
3
4
5
6
7
8
9
<Input eventlog>
Module im_mseventlog
</Input>
<Output tcp>
Module om_tcp
Host 192.168.1.1
Port 514
</Output>
97.2.5. Remote Collection With im_wseventing
NXLog Enterprise Edition can use the im_wseventing module to receive Windows EventLog data from remote machines over WEF (Windows Event Forwarding). It works on both Windows and Linux hosts.
This configuration receives data from all source computers, by listening on port 5985 for connections from all sources. It also shows a configured HTTPS certificate, used to secure the transfer of EventLog data.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<Input in>
Module im_wseventing
ListenAddr 0.0.0.0
Port 5985
Address https://linux.corp.domain.com:5985/wsman
HTTPSCertFile %CERTDIR%/server-cert.pem
HTTPSCertKeyFile %CERTDIR%/server-key.pem
HTTPSCAFile %CERTDIR%/ca.pem
<QueryXML>
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*</Select>
<Select Path="Microsoft-Windows-Winsock-AFD/Operational">*</Select>
<Select Path="Microsoft-Windows-Wired-AutoConfig/Operational">
*
</Select>
<Select Path="Microsoft-Windows-Wordpad/Admin">*</Select>
<Select Path="Windows PowerShell">*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
A query for specific hosts can be set by adding an additional
QueryXML block with a <Computer>
tag. This tag contains a pattern that NXLog matches against
the name of the connecting Windows client. Computer names not matching
the pattern will use the default QueryXML block (containing no
<Computer> tag).
The following QueryXML block, if
added to the above configuration, would provide an alternate query for
computer names matching the pattern foo*.
1
2
3
4
5
6
7
8
<QueryXML>
<QueryList>
<Computer>foo*</Computer>
<Query Id="0" Path="Application">
<Select Path="Application">*</Select>
</Query>
</QueryList>
</QueryXML>
97.2.6. Remote Collection With im_wmi
The im_wmi module, available in NXLog Enterprise Edition, can be used on a system running Linux to receive EventLog data from a Windows system remotely.
|
Note
|
Fields from EventData are not transferred when using the
im_wmi module, because Windows Management
Instrumentation only provides mappings for the old-style
EventLog structure (the Win32_NTLogEvent class).
|
|
Note
|
The im_wmi module offers lower performance than other approaches such as im_wseventing. |
With this configuration, NXLog will connect to 10.0.2.42 and log in as Administrator to collect Windows Event Log data.
1
2
3
4
5
6
7
<Input in>
Module im_wmi
Host 10.0.2.42
Username Administrator
Password secret
Domain WORKGROUP
</Input>