Hi All
I've got nxlog install on a Windows Server 2008R2 Domain Controller. I
been writing out to a file for debugging purposes and have been able to
trim out those events the had little or no value. However I'm now working
on how to get rid of "N/A" that is appearing in the event logs. The
following snippets show up as a single file without CR's or LB's, I've
added some here for readability only. Once this get to the SEIM it is
lost as the SEIM (QRadar) does not know what to do with the events as the
events don't appear to be standard syslog format.
++++++++++++++++++++++++++++++++++
samples
++++++++++++++++++++++++++++++++++
N/A<14>Dec 18 20:48:45 DRMARDC102.Global.Bio-Rad.Com MSWinEventLog 2
N/A N/A Wed Dec 18 20:48:45 2013 7036 Service Control
Manager N/A N/A INFO DRMARDC102.Global.Bio-Rad.Com N/A
EventTime=2013-12-18 20:48:45 Hostname=DRMARDC102.Global.Bio-Rad.Com
Keywords=-9187343239835811840 EventType=INFO SeverityValue=2 Severity=INFO
EventID=7036 SourceName='Service Control Manager'
ProviderGuid={555908D1-A6D7-4695-8E1E-26931D2012F4} Version=0 Task=0
OpcodeValue=0 RecordNumber=637429 ProcessID=504 ThreadID=5724
Channel=System Message='The nxlog service entered the stopped state.'
param1=nxlog param2=stopped EventReceivedTime=2013-12-18 20:53:20
SourceModuleName=in SourceModuleType=im_msvistalog
N/A<14>Dec 18 20:49:02 DRMARDC102.Global.Bio-Rad.Com MSWinEventLog
2 N/A N/A Wed Dec 18 20:49:02 2013 256
vmStatsProvider N/A N/A INFO DRMARDC102.Global.Bio-Rad.Com
General EventTime=2013-12-18 20:49:02
Hostname=DRMARDC102.Global.Bio-Rad.Com Keywords=36028797018963968
EventType=INFO SeverityValue=2 Severity=INFO EventID=256
SourceName=vmStatsProvider Task=1 RecordNumber=944804 ProcessID=0
ThreadID=0 Channel=Application Message='The "vmStatsProvider" is
successfully initialized for this Virtual Machine. WMI namespace:
"root\CIMV2".' Category=General Opcode=Info EventReceivedTime=2013-12-18
20:53:21 SourceModuleName=in SourceModuleType=im_msvistalog
N/A<14>Dec 18 20:49:02 DRMARDC102.Global.Bio-Rad.Com MSWinEventLog
2 N/A N/A Wed Dec 18 20:49:02 2013 8002
Microsoft-Windows-NTLM SYSTEM User INFO DRMARDC102.Global.Bio-Rad.Com
Auditing NTLM EventTime=2013-12-18 20:49:02
Hostname=DRMARDC102.Global.Bio-Rad.Com Keywords=-9223372036854775808
EventType=INFO SeverityValue=2 Severity=INFO EventID=8002
SourceName=Microsoft-Windows-NTLM
ProviderGuid={AC43300D-5FCC-4800-8E99-1BD3F85F0320} Version=0 Task=2
OpcodeValue=0 RecordNumber=15883545 ProcessID=512 ThreadID=5856
Channel=Microsoft-Windows-NTLM/Operational Domain='NT AUTHORITY'
AccountName=SYSTEM UserID=SYSTEM AccountType=User Message='NTLM server
blocked audit: Audit Incoming NTLM Traffic that would be blocked Calling
process PID: 4 Calling process name: Calling process LUID: 0x3e7
Calling process user identity: DRMARDC102$ Calling process domain
identity: GLOBAL Mechanism OID: 1.3.6.1.4.1.311.2.2.10 Audit NTLM
authentication requests to this server that would be blocked if the
security policy Network Security: Restrict NTLM: Incoming NTLM Traffic is
set to Deny all accounts or Deny all domain accounts. If you want this
server to allow NTLM authentication, set the security policy Network
Security: Restrict NTLM: Incoming NTLM Traffic to Allow all.'
Category='Auditing NTLM' Opcode=Info CallerPID=4 ClientLUID=0x3e7
ClientUserName=DRMARDC102$ ClientDomainName=GLOBAL
MechanismOID=1.3.6.1.4.1.311.2.2.10 EventReceivedTime=2013-12-18 20:53:21
SourceModuleName=in SourceModuleType=im_msvistalog
+++++++++++++++++++++++++++++++++++++++++++
nxlog config
+++++++++++++++++++++++++++++++++++++++++++
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir D:\syslog_data\data
LogFile D:\syslog_data\data\nxlog.log
# Include fileop while debugging, also enable in the output module below
<Extension fileop>
Module xm_fileop
</Extension>
<Extension kvp>
Module xm_kvp
KVDelimiter =
KVPDelimiter \t
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_msvistalog
Exec if ($EventType == 'VERBOSE') OR($Channel ==
'Microsoft-Windows-GroupPolicy') OR ($Channel == 'Application') \
OR ($EventID == 8002) OR ($EventID == 8245) OR ($EventID == 1111)
OR ($EventID == 102) OR ($EventID == 200) OR ($EventID == 203) OR
($EventID == 101) OR ($EventID == 311)\
OR ($EventID == 5312) OR ($EventID == 5313) OR ($EventID == 5857)
OR ($EventID == 5315) OR ($EventID == 5145) OR ($EventID == 5156) OR
($EventID == 5140)\
OR ($EventID == 4656) OR ($EventID == 4661) OR ($EventID == 4697)
OR ($EventID == 4698) OR ($EventID == 4699) OR ($EventID == 4700) OR
($EventID == 4701)\
OR ($EventID == 4702) OR ($EventID == 4928) OR ($EventID == 4929)
OR ($EventID == 4930) OR ($EventID == 4931) OR ($EventID == 4932) OR
($EventID == 4658)\
OR ($EventID == 4933) OR ($EventID == 4933) OR ($EventID == 4935)
OR ($EventID == 4936) OR ($EventID == 4937) OR ($EventID == 602) OR
($EventID == 4016 )\
OR ($EventID == 4611) OR ($EventID == 4688) OR ($EventID == 4689)
OR ($EventID == 4696) OR ($EventID == 1704) OR ($EventID == 704) drop() ;
ReadFromLast TRUE
</Input>
<Output qradar>
Module om_tcp
Host 10.1.249.38
PORt 514
Exec kvp->to_kvp(); $Message = $raw_event; to_syslog_snare();
Exec file_write("D:\\syslog_data\\data\\nxlog_output_7.log",
$raw_event);
</Output>
<Route 1>
Path in => qradar
</Route>
Regards
Tim Washburn
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
