[nxlog-ce-users] How to forward Windows EventData from im_msvistalog/sysmon to Linux syslog server

Mon, 11 Aug 2014 06:00:02 -0700 

Hi,

Microsoft has deployed the new Sysmon program (sysinternals) which 
would make Windows syslogging useful for a central Linux based 
syslog solution. Unfortunately syslog forwarder like nxlog do not 
forward the interesting data to the syslog server. It generates via 
default

<Input in>
    Module      im_msvistalog
    #Exec convert_fields("windows-1252", "utf-8");
    Exec parse_syslog_bsd();
</Input>

<Output out>
    Module      om_udp
    Host        192.168.1.57
    Port        514
</Output>

more & less spam because messages like “process created” or “File 
creation time change” without any further info are useless. With 
the module xm_xml

   Exec log_info("Other fields are: " + to_xml());

I can get the full parameter set in XML format. Unfortunately I've 
found no usefull hint in the nxlog documentation how to extract 
data fields like

- TargetFilename
- Image
- CommandLine
- ParentCommandLine

$raw_event and $Message do not contain this data.

NXLOG Community Edition Reference Manual for v2.8.1248:

"In addition to the standard set of fields which are listed under 
the System section, event providers can define their own additional
schema which enables logging additional data under the EventData 
section. ... nxlog can extract this data when fields are logged 
using this schema. The values will be available in the fields of 
the internal nxlog log structure."

What is the "internal nxlog log structure" and how to work with it? 
I#ve found no further hints :(

"These fields can be used in filtering rules, writing them into SQL 
tables or to trigger actions."

I want this fileds in the syslog message and not in SQL tables or 
triggering any actions. In some examples in NXLOG Community Edition 
Reference Manual there are examples with the function 

   to_syslog_bsd()

I got if I use it 1:1 from the example the error message: "does not 
exist or takes different arguments"

The syslog module is present 

<Extension syslog>
    Module xm_syslog
</Extension>

Thats why I do not understand the error message.

Can someone of you help me with this? I would guess a lot of people 
would be interested on such a solution. Is there an easy solution?


Frank


------------------------------------------------------------------------------
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users

Reply via email to