NXLog User Guide

109.19. EventLog for Windows XP/2000/2003 (im_mseventlog)

This module can be used to collect EventLog messages on Microsoft Windows platforms. The module looks up the available EventLog sources stored under the registry key SYSTEM\CurrentControlSet\Services\Eventlog and polls logs from each of these sources or only the sources defined with the Sources directive.

Note

Windows Vista, Windows 2008, and later use a new EventLog API which is not backward compatible. Messages in some events produced by sources in this new format cannot be resolved with the old API which is used by this module. If such an event is encountered, a $Message similar to the following will be set: The description for EventID XXXX from source SOURCE cannot be read by im_mseventlog because this does not support the newer WIN2008/Vista EventLog API. Consider using the im_msvistalog module instead.

Though the majority of event messages can be read with this module even on Windows 2008/Vista and later, it is recommended to use the im_msvistalog module instead.

Note

Strings are stored in DLL and executable files and need to be read by the module when reading EventLog messages. If a program (DLL/EXE) is already uninstalled and is not available for looking up a string, the following message will appear instead:

The description for EventID XXXX from source SOURCE cannot be found.

109.19.1. Configuration

The im_mseventlog module accepts the following directives in addition to the common module directives.

ReadFromLast: This optional boolean directive instructs the module to only read logs which arrived after NXLog was started if the saved position could not be read (for example on first start). When SavePos is TRUE and a previously saved position value could be read, the module will resume reading from this saved position. If ReadFromLast is FALSE, the module will read all logs from the EventLog. This can result in quite a lot of messages, and is usually not the expected behavior. If this directive is not specified, it defaults to TRUE.

SavePos: This boolean directive specifies that the file position should be saved when NXLog exits. The file position will be read from the cache file upon startup. The default is TRUE: the file position will be saved if this directive is not specified. Even if SavePos is enabled, it can be explicitly turned off with the global NoCache directive.

Sources: This optional directive takes a comma-separated list of EventLog filenames, such as Security, Application, to select specific EventLog sources for reading. If this directive is not specified, then all available EventLog sources are read (as listed in the registry). This directive should not be confused with the $SourceName fielded contained within the EventLog and it is not a list of such names. The value of this is stored in the FileName field.

UTF8: If this optional boolean directive is set to TRUE, all strings will be converted to UTF-8 encoding. Internally this calls the convert_fields procedure. The xm_charconv module must be loaded for the character set conversion to work. The default is TRUE, but conversion will only occur if the xm_charconv module is loaded, otherwise strings will be in the local codepage.

109.19.2. Fields

The following fields are used by im_mseventlog.

$raw_event (type: string): A string containing the $EventTime, $Hostname, $Severity, and $Message from the event.

$AccountName (type: string): The username associated with the event.

$AccountType (type: string): The type of the account. Possible values are: User, Group, Domain, Alias, Well Known Group, Deleted Account, Invalid, Unknown, and Computer.

$Category (type: string): The category name resolved from CategoryNumber.

$CategoryNumber (type: integer): The category number, stored as Category in the EventRecord.

$Domain (type: string): The domain name of the user.

$EventID (type: integer): The event ID of the EventRecord.

$EventTime (type: datetime): The TimeGenerated field of the EventRecord.

$EventTimeWritten (type: datetime): The TimeWritten field of the EventRecord.

$EventType (type: string): The type of the event, which is a string describing the severity. Possible values are: ERROR, AUDIT_FAILURE, AUDIT_SUCCESS, INFO, WARNING, and UNKNOWN.

$FileName (type: string): The logfile source of the event (for example, Security or Application).

$Hostname (type: string): The host or computer name field of the EventRecord.

$Message (type: string): The message from the event.

$RecordNumber (type: integer): The number of the event record.

$Severity (type: string): The normalized severity name of the event. See $SeverityValue.

$SeverityValue (type: integer)

The normalized severity number of the event, mapped as follows.

Event Log Severity	Normalized Severity
0/Audit Success	2/INFO
0/Audit Failure	4/ERROR
1/Critical	5/CRITICAL
2/Error	4/ERROR
3/Warning	3/WARNING
4/Information	2/INFO
5/Verbose	1/DEBUG

Event Log Severity

Normalized Severity

0/Audit Success

2/INFO

0/Audit Failure

4/ERROR

1/Critical

5/CRITICAL

2/Error

4/ERROR

3/Warning

3/WARNING

4/Information

2/INFO

5/Verbose

1/DEBUG

$SourceName (type: string): The event source which produced the event (the subsystem or application name).

109.19.3. Examples

Example 558. Forwarding EventLogs from a Windows Machine to a Remote Host

This configuration collects Windows EventLog and forwards the messages to a remote host via TCP.

nxlog.conf


  1
2
3
4
5
6
7
8
9
10
11
12
13

  <Input eventlog>
    Module      im_mseventlog
</Input>

<Output tcp>
    Module      om_tcp
    Host        192.168.1.1
    Port        514
</Output>

<Route eventlog_to_tcp>
    Path        eventlog => tcp
</Route>