Return to
Portfolio

97.3. Forwarding Event Log Data

After collecting the EventLog data from a Windows system with NXLog, it may need to be sent to another host. This section provides details and examples for configuring this.

Event descriptions in EventLog data may contain tabs and newlines, but these are not supported by some formats like BSD Syslog. In this case, a regular expression can be used to remove them.

Example 407. Removing Tabs and Newline Sequences

This input instance is configured to modify the $Message field (the event description) by replacing all tab characters and newline sequences with spaces.

nxlog.conf [Download file]

  
1
2
3
4


  
<Input in>
    Module  im_mseventlog
    Exec    $Message =~ s/(\t|\R)/ /g;
</Input>

97.3.1. Forwarding EventLog in BSD Syslog Format

EventLog data is commonly sent in the BSD Syslog format. This can be generated with the to_syslog_bsd() procedure provided by the xm_syslog module. For more information, see Sending Syslog to a Remote Logger via UDP, TCP, or TLS.

Example 408. Sending EventLog in BSD Syslog Format

This example configuration removes tab characters and newline sequences from the $Message field, converts the event record to BSD Syslog format, and forwards the event via UDP.

nxlog.conf [Download file]

  
1
2
3
4
5
6
7
8
9
10
11
12
13
14


  
<Extension _syslog>
    Module  xm_syslog
</Extension>

<Input eventlog>
    Module  im_msvistalog
    Exec    $Message =~ s/(\t|\R)/ /g; to_syslog_bsd();
</Input>

<Output udp>
    Module  om_udp
    Host    10.10.1.1
    Port    514
</Output>
Note
 The to_syslog_bsd() procedure will use only a subset of the EventLog fields.
Output Sample
<14>Jan  2 10:21:16 win7host Service_Control_Manager[448]: The Computer Browser service entered the running state.

97.3.2. Forwarding Windows Event Log in JSON Format

To preserve all event log fields, the logs can be formatted as JSON. The xm_json module provides a to_json() procedure for this purpose. For more information about generating logs in JSON format, see JSON.

Example 409. Sending EventLog in JSON Format

This example configuration converts the event record to JSON format and forwards the event via TCP.

nxlog.conf [Download file]

  
1
2
3
4
5
6
7
8
9
10
11
12
13
14


  
<Extension _json>
    Module  xm_json
</Extension>

<Input eventlog>
    Module  im_msvistalog
    Exec    to_json();
</Input>

<Output tcp>
    Module  om_tcp
    Host    192.168.10.1
    Port    1514
</Output>
Output Sample
{
  "EventTime": "2017-01-02 10:21:16",
  "Hostname": "win7host",
  "Keywords": -9187343239835812000,
  "EventType": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "EventID": 7036,
  "SourceName": "Service Control Manager",
  "ProviderGuid": "{525908D1-A6D5-5695-8E2E-26921D2011F3}",
  "Version": 0,
  "Task": 0,
  "OpcodeValue": 0,
  "RecordNumber": 2629,
  "ProcessID": 448,
  "ThreadID": 2872,
  "Channel": "System",
  "Message": "The Computer Browser service entered the running state.",
  "param1": "Computer Browser",
  "param2": "running",
  "EventReceivedTime": "2017-01-02 10:21:17",
  "SourceModuleName": "eventlog",
  "SourceModuleType": "im_msvistalog"
}

For compatibility with logging systems that require BSD Syslog, the JSON format can be used with a BSD Syslog header.

Example 410. Encapsulating JSON EventLog in BSD Syslog

This example configuration converts the event record to JSON, adds a BSD Syslog header, and forwards the event via UDP.

nxlog.conf [Download file]

  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18


  
<Extension _json>
    Module  xm_json
</Extension>

<Extension _syslog>
    Module  xm_syslog
</Extension>

<Input eventlog>
    Module  im_msvistalog
    Exec    $Message = to_json(); to_syslog_bsd();
</Input>

<Output udp>
    Module  om_udp
    Host    192.168.2.1
    Port    514
</Output>
Output Sample
<14>Jan  2 10:21:16 win7host Service_Control_Manager[448]: {"EventTime":"2017-01-02 10:21:16","Hostname":"win7host","Keywords":-9187343239835811840,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7036,"SourceName":"Service Control Manager","ProviderGuid":"{525908D1-A6D5-5695-8E2E-26921D2011F3}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":2629,"ProcessID":448,"ThreadID":2872,"Channel":"System","Message":"The Computer Browser service entered the running state.","param1":"Computer Browser","param2":"running","EventReceivedTime":"2017-01-02 10:21:17","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"}

97.3.3. Forwarding Windows Event Log in the Snare Format

The Snare format is often used for Windows EventLog data. The xm_syslog module includes a to_syslog_snare() procedure which can generate the Snare format with a Syslog header. For more information about the Snare format, see Snare.

Example 411. Sending EventLog in Snare Format

This example configuration removes tab characters and newline sequences from the $Message field, converts the event record to the Snare over Syslog format, and forwards the event via UDP.

nxlog.conf [Download file]

  
1
2
3
4
5
6
7
8
9
10
11
12
13
14


  
<Extension _syslog>
    Module  xm_syslog
</Extension>

<Input eventlog>
    Module  im_msvistalog
    Exec    $Message =~ s/(\t|\R)/ /g; to_syslog_snare();
</Input>

<Output snare>
    Module  om_udp
    Host    192.168.1.1
    Port    514
</Output>
Output Sample
<14>Jan  2 10:21:16 win7host MSWinEventLog1System193Mon Jan 02 10:21:16 20177036Service Control ManagerN/AN/AInformationwin7hostN/AThe Computer Browser service entered the running state.2773

← Previous: Collecting Event Log Data | ↑ Up: Windows Event Log | ⌂ Home: NXLog User Guide | Next: Windows Firewall →